A sophisticated phishing campaign has been uncovered, exploiting Microsoft 365’s trusted infrastructure to facilitate credential harvesting and account takeover attempts.
This attack leverages legitimate Microsoft domains and tenant misconfigurations to conduct Business Email Compromise (BEC) operations, effectively bypassing traditional email security controls by exploiting inherent trust mechanisms within Microsoft’s ecosystem.
Attack Overview and Mechanism
The attack operates entirely within Microsoft’s infrastructure, making it difficult for both technical controls and human recipients to detect.
Unlike traditional phishing methods that rely on lookalike domains or email spoofing, this technique uses Microsoft’s trusted service-generated emails to evade detection methods such as domain reputation analysis, DMARC enforcement, and anti-spoofing mechanisms.
The phishing emails appear authentic, blending seamlessly into enterprise environments, and are signed with valid authentication markers like SPF, DKIM, and DMARC, further enhancing their legitimacy.
The attack involves multiple phases, starting with the establishment of control over multiple Microsoft 365 organization tenants.
These tenants are used for different purposes, such as facilitating fraudulent activities, brand impersonation, and covertly relaying phishing emails.
The attackers create administrative accounts using the default “*.onmicrosoft.com” domain and configure mail forwarding rules to redirect critical emails, ensuring that phishing messages blend into trusted email flows without raising security alerts.
Social Engineering and Detection Challenges
The phishing campaign manipulates tenant display information to embed deceptive messages within legitimate Microsoft-generated emails.
For instance, a phishing lure might be embedded in the organization name field, instructing victims to call a fraudulent support number.
According to Guardz Report, this approach bypasses traditional URL security mechanisms and leverages Microsoft’s trusted infrastructure to reduce recipient skepticism.
The urgent nature of the messages, often related to unauthorized financial transactions, increases the likelihood of user interaction, making victims more susceptible to social engineering attacks.
Detecting this type of attack is challenging due to its reliance on legitimate Microsoft infrastructure and trusted email authentication mechanisms.
Traditional email security measures are ineffective, as the phishing emails originate from a legitimate Microsoft domain and pass through Microsoft’s mail servers.
To combat this threat, enhanced email analysis and user awareness training are recommended.
Users should be cautious of communications from unfamiliar .onmicrosoft.com domains and verify official support numbers before calling them.
Implementing content inspection that analyzes organization fields and metadata can also help identify these sophisticated phishing attempts.
