New Microsoft 365 Attack Bypasses Email Security Controls

Sometimes it can feel like Microsoft users are on the sharp end of the cybersecurity stick a little too often. Be that by way of multiple zero-day vulnerabilities actively exploiting Windows users, or Microsoft Account takeovers that bypass authentication protections. Microsoft 365 users, however, could certainly be excused for feeling hard done by in the attack stakes with hackers exploiting technical gaps to manipulate URLs, or basic authentication exploitation by spray and pray password campaigns. Now, Microsoft 365 users have been warned as a new and sophisticated attack bypasses traditional email security controls by embedding phishing lures within legitimate Microsoft communications. Here’s what you need to know.

ForbesFBI Warning—Enable 2FA For Gmail, Outlook And VPNs NowBy Davey Winder

New Phishing Attack Uses Microsoft-Signed Emails

What researchers have called a highly sophisticated phishing campaign that exploits Microsoft 365 trusted infrastructure to facilitate account takeover attempts through credential harvesting techniques, has been confirmed. By exploiting legitimate Microsoft domains and misconfigurations within tenants, the threat actors are executing Business Email Compromise attacks which are capable of maintaining a very convincing appearance of legitimacy. This method bypasses conventional email security measures, the researchers have revealed, by capitalizing on and exploiting inherent trust mechanisms.

In a March 13 report, Ron Lev, a security researcher at Guardz Research, explained that as e-mail defenses such as secure email gateways continue to evolve, so attackers are finding they need to refine their evasion techniques to bypass these more robust protections.

This latest analysis shows how the threat actors in this campaign have manipulated Microsoft 365 tenant properties, abused tenant architectures and leveraged organizational profile spoofing “to embed phishing payloads directly within enterprise environments,” according to Lev.

Forbes1Password Warning—Beware Of Master Password-Reset AttackBy Davey Winder

New Attack Avoids Email Spoofing And Operates Entirely Within Microsoft’s Ecosystem

The main thrust of this latest Microsoft 365 attack is the exploitation of
totally legitimate Microsoft services in order to establish a trusted delivery route for the payload. By so doing, it makes it difficult for technical controls and human recipients alike to detect. “Unlike traditional phishing, which relies on lookalike domains or email spoofing,” Lev said, “this method operates entirely within Microsoft’s ecosystem, bypassing security measures and user skepticism by leveraging native Microsoft 365 infrastructure to deliver phishing lures that appear authentic and blend in seamlessly.”

In particular, the use of trusted Microsoft service-generated emails enables traditional security measures such as domain reputation analysis, Domain-based Message Authentication, Reporting and Conformance enforcement as well as anti-spoofing mechanisms to be bypassed. “The result is a highly deceptive attack that exploits inherent trust in Microsoft’s cloud services,” Lev warned, “making it significantly more challenging for security teams to detect and mitigate.”

Indeed, as Lev pointed out, the leveraging of Microsoft’s legitimate email infrastructure means that the phishing email can pass through Microsoft’s servers without raising any security alerts. What’s more, as it originates from such a trusted source, it is also far less likely to be flagged by security tools as it makes its way to the victim’s inbox. I recommend reading the full report for all the technical details.

ForbesIdentity Theft Warning—Hidden Commands In 1 Billion Bluetooth ChipsBy Davey Winder

Mitigating the Microsoft 365 Email Attack Chain

I have reached out to Microsoft for a statement, but in the meantime, while Lev admitted that this latest attack presents a number of challenges for defenders, not least the lack of protections from traditional email security measures and the use of legitimate Microsoft domains, mitigations are not only possible but highly recommended.

• Train users with phishing awareness to recognize suspicious elements.
• Be suspicious of communications from unfamiliar .onmicrosoft.com domains and newly created Microsoft 365 tenants.
• Implement email content inspection that analyzes organization fields and metadata and check return-path headers.