Tuesday, March 18, 2025
Homecyber securitySophisticated Phishing Attack Leverages Microsoft 365 Infrastructure to Target Users

Sophisticated Phishing Attack Leverages Microsoft 365 Infrastructure to Target Users

Published on

SIEM as a Service

Follow Us on Google News

A highly sophisticated phishing campaign has been uncovered exploiting Microsoft 365’s trusted infrastructure to facilitate credential harvesting and account takeover attempts.

This attack leverages legitimate Microsoft domains and tenant misconfigurations to conduct Business Email Compromise (BEC) operations, effectively bypassing traditional email security controls by exploiting inherent trust mechanisms within the Microsoft ecosystem.

Attack Mechanism

The attack involves multiple phases, starting with the establishment of control over multiple Microsoft 365 organization tenants.

These tenants are strategically used for different purposes: one for fraudulent activities like unauthorized purchases, another for brand impersonation to enhance credibility, and a third as a covert relay point to reroute phishing emails while bypassing security controls.

By distributing attack functionalities across these tenants, the threat actor minimizes risk and ensures the resilience of the phishing infrastructure.

 Phishing Attack
Multiple attack vectors

Once control is established, attackers create administrative accounts using the default “*.onmicrosoft.com” domain, reducing visibility within standard monitoring tools.

They then configure mail forwarding and transport rules to redirect subscription confirmation emails and other service alerts to victims.

According to the Guardz Report, this technique exploits legitimate email forwarding features within Microsoft 365, allowing fraudulent messages to blend seamlessly into trusted email flows and evade traditional anti-phishing protections.

Social Engineering and Detection Challenges

To enhance credibility, attackers manipulate tenant display information to mimic legitimate Microsoft transaction notifications.

For example, they embed a phishing lure directly into the email by using the organization name field, instructing victims to call a fraudulent support number.

 Phishing Attack
Header Analysis

This approach bypasses URL security mechanisms and leverages Microsoft’s trusted infrastructure, making it difficult for recipients to distinguish between legitimate and malicious communications.

The attack is particularly effective because it bypasses traditional email security controls, generates emails with valid authentication markers (SPF, DKIM, DMARC), and creates urgency by appearing related to unauthorized financial transactions.

Moreover, it shifts the attack vector to a voice channel, where security controls are less robust.

Traditional email authentication methods are ineffective against this attack since the phishing emails originate from legitimate Microsoft domains.

To combat this threat, enhanced email analysis is necessary, focusing on content inspection of organization fields and metadata.

User awareness training is also crucial to recognize suspicious elements and avoid calling unverified numbers.

Additionally, validating official support numbers through Microsoft’s official directory can help prevent victim engagement.

Being cautious of communications from unfamiliar .onmicrosoft.com domains or newly created tenants is also advisable.

By adapting detection and response capabilities to address these evolving threats, defenders can better protect against sophisticated phishing attacks that exploit legitimate infrastructure.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Fake Coinbase Migration Messages Target Users to Steal Wallet Credentials

A sophisticated phishing campaign is currently targeting cryptocurrency investors with fraudulent emails claiming to...

Electromagnetic Side-Channel Analysis of Cryptographically Secured Devices

Electromagnetic (EM) side-channel analysis has emerged as a significant threat to cryptographically secured devices,...

MirrorGuard: Adaptive Defense Mechanism Against Jailbreak Attacks for Secure Deployments

A novel defense strategy, MirrorGuard, has been proposed to enhance the security of large...

New ClearFake Variant Uses Fake reCAPTCHA to Deploy Malicious PowerShell Code

A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake Coinbase Migration Messages Target Users to Steal Wallet Credentials

A sophisticated phishing campaign is currently targeting cryptocurrency investors with fraudulent emails claiming to...

Electromagnetic Side-Channel Analysis of Cryptographically Secured Devices

Electromagnetic (EM) side-channel analysis has emerged as a significant threat to cryptographically secured devices,...

MirrorGuard: Adaptive Defense Mechanism Against Jailbreak Attacks for Secure Deployments

A novel defense strategy, MirrorGuard, has been proposed to enhance the security of large...