Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:25 PM
Connect Directly

Phishing Campaign Targets 200M Microsoft 365 Accounts

A well-organized email spoofing campaign has been seen targeting financial services, insurance, healthcare, manufacturing, utilities, and telecom.

Update 12/11/2020: This story has been updated to include Microsoft's statement regarding the attack.

A large-scale phishing campaign is targeting 200 million Microsoft 365 users around the world, particularly within the financial services, healthcare, insurance, manufacturing, utilities, and telecom sectors, Ironscales researchers report.

Related Content:

How Advanced Attackers Take Aim at Office 365

The Changing Face of Threat Intelligence

New on The Edge: BECs and EACs: What's the Difference?

The attackers leverage a domain spoofing technique to create emails that appear to come from Microsoft Outlook ([email protected]). These emails attempt to use urgent language to trick people into using a new Microsoft 365 capability that lets account holders reclaim emails accidentally flagged as phishing or spam.

A link within the email promises to redirect readers to a security portal so they can review and act on so-called "quarantine messages" deemed suspicious by the Exchange Online Protection (EOP) filtering stack, researchers explain in a blog post. Victims who click the link will be asked to enter their Microsoft login credentials on a fake authentication page.

While impersonating the exact name and domain of a specific sender is technically more complex than other spoofing attacks, researchers warn this remains a common phishing tactic that even attentive security-savvy employees are likely to overlook if it arrives in their inbox.

"To the naked eye, the most suspicious element of this attack would be the sense of urgency to view the quarantined messages or the unusualness of receiving this type of email solicitation," researchers note.

Organizations keen to mitigate their risk for this type of attack are advised to ensure their defenses are configured for Domain-based Message Authentication, Reporting, and Compliance (DMARC), an email authentication protocol built to block exact domain spoofing. In its report, researchers say Microsoft is not currently enforcing the DMARC protocol, meaning domain spoofing messages are not being rejected by gateway controls. 

In a statement, Microsoft says its platform has the capability to block these types of emails; however, it's up to customers to ensure they have the proper controls enabled.

"Contrary to claims in the third party report, Office 365 has rich in-built controls to block domain spoofing emails and enforces DMARC checks," a Microsoft spokesperson says. "We encourage all customers to make sure they have deployed the latest security controls in Office 365, enabled multi-factor authentication for Office 365, and train their end users to observe caution when clicking on links from unknown senders." 

Microsoft 365 continues to be a popular target for cybercriminals, from attackers with little experience to advanced persistent threat (APT) groups following enterprise victims to the cloud. Some of these groups target businesses to steal information or gain additional access; some will target one corporation with the goal of eventually breaching another. Most of these advanced attackers seek long-term access that will let them dwell in an environment for years.

Some APT groups might acquire administrator credentials to breach a target Microsoft 365 environment; others might exploit flaws in how the platform validates configuration changes. Unskilled attackers might use business email compromise attacks to infiltrate a target organization's Microsoft account.

Campaigns like the one Ironscales detected underscore cybercriminals' ability to develop increasingly subtle attacks. Research released from Vectra in October found attackers are widely using Microsoft 365 accounts to move laterally to other users and accounts within a target organizations to carry out command-and-control communications and other activities.

The Vectra study found lateral movement on 96% of Microsoft 365 customer accounts sampled. With 71% of the accounts, they noticed suspicious activity using Power Automate, a capability built into the platform, and 56% of accounts revealed similarly suspicious behavior using the eDiscovery tool in Microsoft 365.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/8/2020 | 9:19:10 AM
Proposed mitigation
I think the mitigation discussed (DMARC) would've been more complete if a link or a contact was provided on who/how to set up DMARC with the behemoth that is Microsoft.  If anybody has that, it would be helpful.
User Rank: Apprentice
12/8/2020 | 12:19:22 AM
Tough week for Microsoft
Nasty remote code execution...https://github.com/oskarsve/ms-teams-rce

Hppy to see the industry's sense of humor persists. Kudos @oskarsve...  "At least now we have a new joke between colleagues - whenever we get a remote code execution (RCE) bug, we call it "Important, Spoofing". Thanks Microsoft! 😂 "
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...