Microsoft 365 Under Attack: New Sophisticated Phishing Campaigns Targeting Users

Microsoft 365 is currently being targeted by sophisticated phishing campaigns that exploit legitimate Microsoft infrastructure to bypass traditional security controls. These attacks are particularly dangerous because they appear to come from trusted sources, making them difficult to detect for both security systems and users. Let’s break down what’s happening and how you can protect your organization.

 The Exploit: How Attackers Are Abusing Microsoft 365

Security researchers from Guardz and Proofpoint have uncovered multiple campaigns that leverage Microsoft’s own systems against users. These attacks are notable for their sophistication and use of legitimate Microsoft domains.

Attack Method #1: Organization Tenant Exploitation

The first campaign, identified by Guardz, involves attackers controlling multiple Microsoft 365 organization tenants to perform Business Email Compromise (BEC) attacks. Here’s how it works:

1. Infrastructure Acquisition: Attackers establish control over multiple Microsoft 365 tenants, either by creating new ones or compromising existing ones.
2. Administrative Setup: They create admin accounts using the default “*.onmicrosoft.com” domain and configure mail forwarding rules.
3. Tenant Name Manipulation: The attackers modify the organization name field with text like: “(Microsoft Corporation) Your subscription has been successfully purchased for $689.89 USD using your checking account. If you did not authorize this transaction, please call 1(888) 651-4716 to request a refund.”
4. Triggering Legitimate Emails: The attackers initiate a purchase or subscription within Microsoft’s environment, generating a legitimate, authenticated email.
5. Social Engineering: When the Microsoft-signed email arrives in victims’ inboxes, it displays the manipulated organization name, creating the impression of an unauthorized transaction and prompting victims to call the provided number.

Attack Method #2: OAuth Application Impersonation

Proofpoint has identified a second campaign using OAuth redirection and brand impersonation:

1. Attackers create malicious OAuth applications masquerading as trusted services like Adobe Drive, Adobe Acrobat, and DocuSign.
2. These applications redirect users to phishing pages or deliver malware.
3. Users are instructed to enable permissions that grant access to their personal information, email addresses, and other sensitive data.

 Why These Attacks Are Effective

These attacks are particularly dangerous because they:

• Use legitimate Microsoft domains and infrastructure
• Generate emails with valid authentication markers (SPF, DKIM, DMARC)
• Pass through Microsoft’s actual mail servers
• Include authentic Microsoft branding and UI elements
• Create a sense of urgency through financial concerns
• Move the attack to voice channels where fewer security controls exist

 Who Is Behind These Attacks?

While the specific threat actors haven’t been definitively identified, these campaigns demonstrate sophisticated techniques typically associated with organized cybercrime groups. The attacks show advanced understanding of Microsoft 365’s architecture and email authentication systems.

The level of effort involved in setting up multiple tenants, configuring them properly, and manipulating Microsoft’s legitimate infrastructure suggests these are not opportunistic attackers but well-resourced criminal organizations.

 How to Protect Your Organization

Technical Controls

1. Enhanced Email Analysis: Implement content inspection systems that analyze organization fields and metadata.
2. Check Return-Path Headers: Look for suspicious paths like “bounces+SRS=*@.onmicrosoft.com”.
3. Monitor for New Microsoft Tenants: Be suspicious of communications from unfamiliar .onmicrosoft.com domains.
4. Block Known Malicious Numbers: Add the phone numbers from the IOC lists to your security awareness materials.
5. Implement Advanced Threat Protection: Ensure your email security goes beyond basic SPF, DKIM, and DMARC checks.

User Education

1. Phone Verification Training: Teach users to verify official support numbers rather than calling those in emails.
2. Trust but Verify: Train employees to validate unexpected transactional notifications through official channels.
3. Recognize Social Engineering: Help staff identify when they’re being manipulated through urgency or fear.
4. Report Suspicious Emails: Encourage immediate reporting of unusual communications, even if they appear to come from Microsoft.

 How CinchOps Can Help Secure Your Business

Facing sophisticated threats requires comprehensive cybersecurity measures that many organizations struggle to implement with limited resources. This is where CinchOps can provide critical support to protect your business:

1. Comprehensive Vulnerability Management: We provide continuous scanning and prioritized remediation of vulnerabilities that ransomware groups like Medusa frequently exploit.
2. Advanced Endpoint Protection: Our solutions go beyond traditional antivirus to detect and block the sophisticated techniques used by Medusa actors.
3. Network Segmentation Expertise: We can help design and implement effective network segmentation strategies that contain threats and prevent lateral movement.
4. Multi-Factor Authentication Deployment: Our team can deploy and manage MFA solutions across your organization to protect critical accounts.
5. Backup and Recovery Planning: We ensure your data remains secure with properly configured, tested backup systems that are resilient against ransomware attacks.
6. Security Monitoring and Incident Response: Our 24/7 monitoring identifies suspicious activity that could indicate a Medusa intrusion attempt, with rapid response capabilities to contain threats.
7. Security Awareness Training: We provide targeted training to help your employees recognize and avoid the phishing attempts that Medusa affiliates commonly use.
8. Compliance Management: Our team ensures your security controls align with relevant compliance frameworks and industry best practices.

Don’t wait until your organization becomes another victim. Contact CinchOps today to schedule a security assessment and develop a tailored protection strategy against phishing and other advanced cyber threats. Our experienced team is ready to help you implement the critical security measures to keep your business safe in today’s dangerous digital environment.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

FREE SECURITY ASSESSMENT