A highly sophisticated phishing campaign has been uncovered exploiting Microsoft 365’s trusted infrastructure to facilitate credential harvesting and account takeover attempts.
This attack leverages legitimate Microsoft domains and tenant misconfigurations to conduct Business Email Compromise (BEC) operations, effectively bypassing traditional email security controls by exploiting inherent trust mechanisms within the Microsoft ecosystem.
Attack Mechanism
The attack involves multiple phases, starting with the establishment of control over multiple Microsoft 365 organization tenants.
.png
)
These tenants are strategically used for different purposes: one for fraudulent activities like unauthorized purchases, another for brand impersonation to enhance credibility, and a third as a covert relay point to reroute phishing emails while bypassing security controls.
By distributing attack functionalities across these tenants, the threat actor minimizes risk and ensures the resilience of the phishing infrastructure.
Once control is established, attackers create administrative accounts using the default “*.onmicrosoft.com” domain, reducing visibility within standard monitoring tools.
They then configure mail forwarding and transport rules to redirect subscription confirmation emails and other service alerts to victims.
According to the Guardz Report, this technique exploits legitimate email forwarding features within Microsoft 365, allowing fraudulent messages to blend seamlessly into trusted email flows and evade traditional anti-phishing protections.
Social Engineering and Detection Challenges
To enhance credibility, attackers manipulate tenant display information to mimic legitimate Microsoft transaction notifications.
For example, they embed a phishing lure directly into the email by using the organization name field, instructing victims to call a fraudulent support number.
This approach bypasses URL security mechanisms and leverages Microsoft’s trusted infrastructure, making it difficult for recipients to distinguish between legitimate and malicious communications.
The attack is particularly effective because it bypasses traditional email security controls, generates emails with valid authentication markers (SPF, DKIM, DMARC), and creates urgency by appearing related to unauthorized financial transactions.
Moreover, it shifts the attack vector to a voice channel, where security controls are less robust.
Traditional email authentication methods are ineffective against this attack since the phishing emails originate from legitimate Microsoft domains.
To combat this threat, enhanced email analysis is necessary, focusing on content inspection of organization fields and metadata.
User awareness training is also crucial to recognize suspicious elements and avoid calling unverified numbers.
Additionally, validating official support numbers through Microsoft’s official directory can help prevent victim engagement.
Being cautious of communications from unfamiliar .onmicrosoft.com domains or newly created tenants is also advisable.
By adapting detection and response capabilities to address these evolving threats, defenders can better protect against sophisticated phishing attacks that exploit legitimate infrastructure.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
