Security researchers warn of fresh malicious campaigns that abuse Microsoft 365 for phishing attacks, or target the service’s users to take over accounts.
As part of one campaign, attackers are leveraging legitimate Microsoft domains and tenant misconfigurations in BEC attacks likely aimed at stealing credentials and performing account takeover (ATO), Guardz warns.
The attackers were seen controlling multiple Microsoft 365 organization tenants (either new or compromised), creating administrative accounts, creating misleading full-text messages mimicking Microsoft transaction notifications, initiating a purchase or trial subscription event to generate a billing email, and then sending phishing emails using Microsoft’s infrastructure.
By modifying organizations’ names and relying on a trusted communication channel to deliver phishing emails containing fake support contact numbers, the attackers instructed victims to interact with a call center, moving the communication to voice, where fewer security controls apply.
“By exploiting the inherent trust in Microsoft’s cloud services, this phishing campaign is significantly more challenging for security teams to detect and mitigate, evading domain reputation analysis, DMARC enforcement, and anti-spoofing mechanisms,” Guardz cofounder and CEO Dor Eisner said.
Another campaign, observed by Proofpoint, relies on OAuth redirection and brand impersonation for ATO: three new OAuth applications masquerading as Adobe Drive, Adobe Acrobat, and Docusign are used to steal credentials and deliver malware.
The malicious applications were designed to redirect users to websites that host phishing pages or malware, instructing users to enable permissions to sign in to Microsoft 365 on their behalf, and gain access to their names, usernames, email addresses, and other information.
“To avoid detection solutions, the observed apps were assigned limited scopes (such as profile, email, OpenID),” the cybersecurity firm warned on the social platform X.
Related: Microsoft Says One Million Devices Impacted by Infostealer Campaign
Related: Microsoft Patches Exploited Power Pages Vulnerability
Related: Ransomware Groups Abuse Microsoft Services for Initial Access