Unheeded Alert:Email Security Breach in Microsoft 365 Potentially Evades Protection Measures
Revamped Article:
Title: Microsoft 365 Users Brace for a New, Sophisticated Phishing Attack
Feeling continuously targeted by cybersecurity threats can leave Microsoft users scratching their heads. From unsecured zero-day vulnerabilities exploiting Windows users, to Microsoft Account takeovers bypassing authentication protections, and phishing attempts through URL manipulation and password campaigns, Microsoft 365 users have had their fair share of online challenges. Today, they've got another reason to stay vigilant – a new, complex attack has surfaced, bypassing traditional email security controls by embedding malicious content within genuine Microsoft communications. Here's the lowdown on this latest cyber threat.
Forbes Warning:Enable Two-Factor Authentication for Gmail, Outlook, and VPNs Now
New Phishing Attack Rides on Microsoft-Signed Emails
guardz Research has confirmed an elaborate phishing campaign that deceitfully leverages Microsoft 365 trusted infrastructure for account takeover attempts through credential harvesting techniques. By misusing legitimate Microsoft domains and manipulating tenant configurations within organizations, the threat actors are executing Business Email Compromise (BEC) attacks, which appear incredibly genuine. This strategy sidesteps conventional email security measures by exploiting inherent trust mechanisms.
In a March 13 report, Ron Lev, a security researcher at Guardz, described how as email defenses strengthen, attackers are honing their evasion techniques to evade advanced security protections.
This newest analysis reveals how the attackers in this campaign have manipulated Microsoft 365 tenant properties, misconfigured tenant architectures, and used organizational profile spoofing "to embed phishing payloads directly within enterprise environments," according to Lev.
Forbes Improve Password Security:Beware of Master Password-Reset Attack
Google Confirms Play Store App Removal-What You Do Now
'NYT Mini' Clues and Answers for Saturday, March 15
Tesla Discontinues Old Model Y, Offers Generous Discounts
New Attack Dashes Email Spoofing and Operates Completely Within Microsoft's Realm
The core objective of this current Microsoft 365 attack is the exploitation of authentic Microsoft services to establish a trusted delivery path for the payload. By doing so, it becomes difficult for both technical controls and human users to identify the threat. As opposed to traditional phishing, which relies on forged domains or email spoofing, this strategy operates entirely within the Microsoft 365 ecosystem, circumventing security measures and user distrust by using native Microsoft 365 infrastructure to deliver deceiving email lures that blend seamlessly.
Specifically, the employment of Microsoft-verified emails enables traditional security measures such as domain reputation analysis, Domain-based Message Authentication, Reporting, and Conformance (DMARC) enforcement, and anti-spoofing mechanisms to be sidestepped. "As a result, this highly deceptive attack exploiting inherent trust in Microsoft's cloud services makes it significantly more arduous for security teams to detect and neutralize," Lev cautioned.
Indeed, as Lev pointed out, the utilization of Microsoft's legitimate email infrastructure means that the phishing email may pass through Microsoft's servers without triggering any security alerts. Furthermore, since it originates from such a trusted source, it is also less likely to be flagged by security tools as it traverses to the recipient's inbox. For more technical details about the attack flow, read the full report.
Forbes Security Alert:Hidden Commands in 1 Billion Bluetooth Chips
Microsoft 365 Email Attack Flow Explained
The Guardz Research report outlines a total of five phases that make up the attack chain of this recent campaign.
- Infrastructure acquisition: Here, threat actors initiate control over multiple Microsoft 365 organization tenants necessary for the attack by either registering new tenants or compromising existing ones. "By doing so, each tenant plays a strategic role in the attack chain," Lev said, "enabling the attacker to bypass detection and manipulate trust mechanisms within the Microsoft 365 infrastructure." This action allows for the exploitation of various functionalities, including the abuse of legitimate payment and invoicing emails sent by Microsoft.
- Technical configuration: Having gained control over the Microsoft 365 tenants in phase one, the attackers create administrative accounts that have the default .onmicrosoft.com domain. "The key tactics include admin account creation, mail forwarding abuse, and anti-phishing evasion," Lev explained.
- Deception preparation: To boost credibility, the attackers then configure a second tenant with a misleading full-text message resembling a legitimate Microsoft transaction notification. This momentum takes advantage of the Microsoft 365 tenant display name feature to inject a trusted and convincing phishing lure directly into the email.
- Attack execution: By initiating the purchase of a trial subscription using the first tenant, the attacker can enhance legitimacy and evade detection, generating an authentic Microsoft-signed billing email that leverages Microsoft's infrastructure to disseminate phishing content that appears bona fide. This is arguably the most critical stage of the attack flow as by manipulating the organization display name in a second tenant and using native Microsoft 365 infrastructure, the phishing email becomes part of a trusted communication channel and thus cannot be detected by email authentication controls such as DMARC.
- Victim engagement: The trap is set when, by employing Microsoft's billing emails containing the organization name and phony support contact details, victims are incited to immediately contact what seems to be a crucial support hotline.
"By exploiting the inherent trust in Microsoft's cloud services, this phishing campaign is significantly more challenging for security teams to detect and mitigate, evading domain reputation analysis, DMARC enforcement, and anti-spoofing mechanisms," Dor Eisner, CEO and co-founder of Guardz, commented.
Disabling the Microsoft 365 Email Attack Chain
Although this newly discovered attack presents a number of obstacles for defenders, including the lack of protection from traditional email security measures and the employment of legitimate Microsoft domains, solutions are available and essential.
- Reinforce user awareness through training: teach users to spot social engineering techniques and recognize suspicious contact details.
- Verify information: encourage users to corroborate support phone numbers and validate financial notifications directly with official Microsoft channels.
- Perform email content inspection that investigates organization fields and metadata, checking return-path headers.
To protect themselves from this sophisticated phishing attack, Microsoft 365 users can implement AI-powered security tools, inspect organization metadata and headers, and closely monitor interactions from unknown or recently created .onmicrosoft.com domains. Additionally, it's advisable to limit users' permission to consent to third-party OAuth app requests and regularly review and revoke unrecognized OAuth apps through the 'My Apps' portal. By following these measures, users can significantly reduce their vulnerability to such intricate phishing attacks.
[1] https://www.techtarget.com/searchsecurity/contributor/Paul-Ferrillo[3] https://docs.microsoft.com/en-us/microsoft-365/securitycompliance/app-permissions
- To combat the elaborate phishing campaign exploiting Microsoft 365's infrastructure, users can implement Microsoft 365 security warnings and enabled two-factor authentication, as suggested by Forbes.
- Avoiding standard email security measures like domain reputation analysis and DMARC enforcement may be insufficient for dealing with phishing attacks, as the latest Microsoft 365 phishing campaign illustrates.
- To minimize the risk of falling victim to a Microsoft 365 cyberattack, users should reinforce user awareness through training, verify information, and perform email content inspection focusing on organization fields and metadata, as suggested in the revised article.
