Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:25 PM
Connect Directly

Phishing Campaign Targets 200M Microsoft 365 Accounts

A well-organized email spoofing campaign has been seen targeting financial services, insurance, healthcare, manufacturing, utilities, and telecom.

Update 12/11/2020: This story has been updated to include Microsoft's statement regarding the attack.

A large-scale phishing campaign is targeting 200 million Microsoft 365 users around the world, particularly within the financial services, healthcare, insurance, manufacturing, utilities, and telecom sectors, Ironscales researchers report.

Related Content:

How Advanced Attackers Take Aim at Office 365

The Changing Face of Threat Intelligence

New on The Edge: BECs and EACs: What's the Difference?

The attackers leverage a domain spoofing technique to create emails that appear to come from Microsoft Outlook ([email protected]). These emails attempt to use urgent language to trick people into using a new Microsoft 365 capability that lets account holders reclaim emails accidentally flagged as phishing or spam.

A link within the email promises to redirect readers to a security portal so they can review and act on so-called "quarantine messages" deemed suspicious by the Exchange Online Protection (EOP) filtering stack, researchers explain in a blog post. Victims who click the link will be asked to enter their Microsoft login credentials on a fake authentication page.

While impersonating the exact name and domain of a specific sender is technically more complex than other spoofing attacks, researchers warn this remains a common phishing tactic that even attentive security-savvy employees are likely to overlook if it arrives in their inbox.

"To the naked eye, the most suspicious element of this attack would be the sense of urgency to view the quarantined messages or the unusualness of receiving this type of email solicitation," researchers note.

Organizations keen to mitigate their risk for this type of attack are advised to ensure their defenses are configured for Domain-based Message Authentication, Reporting, and Compliance (DMARC), an email authentication protocol built to block exact domain spoofing. In its report, researchers say Microsoft is not currently enforcing the DMARC protocol, meaning domain spoofing messages are not being rejected by gateway controls. 

In a statement, Microsoft says its platform has the capability to block these types of emails; however, it's up to customers to ensure they have the proper controls enabled.

"Contrary to claims in the third party report, Office 365 has rich in-built controls to block domain spoofing emails and enforces DMARC checks," a Microsoft spokesperson says. "We encourage all customers to make sure they have deployed the latest security controls in Office 365, enabled multi-factor authentication for Office 365, and train their end users to observe caution when clicking on links from unknown senders." 

Microsoft 365 continues to be a popular target for cybercriminals, from attackers with little experience to advanced persistent threat (APT) groups following enterprise victims to the cloud. Some of these groups target businesses to steal information or gain additional access; some will target one corporation with the goal of eventually breaching another. Most of these advanced attackers seek long-term access that will let them dwell in an environment for years.

Some APT groups might acquire administrator credentials to breach a target Microsoft 365 environment; others might exploit flaws in how the platform validates configuration changes. Unskilled attackers might use business email compromise attacks to infiltrate a target organization's Microsoft account.

Campaigns like the one Ironscales detected underscore cybercriminals' ability to develop increasingly subtle attacks. Research released from Vectra in October found attackers are widely using Microsoft 365 accounts to move laterally to other users and accounts within a target organizations to carry out command-and-control communications and other activities.

The Vectra study found lateral movement on 96% of Microsoft 365 customer accounts sampled. With 71% of the accounts, they noticed suspicious activity using Power Automate, a capability built into the platform, and 56% of accounts revealed similarly suspicious behavior using the eDiscovery tool in Microsoft 365.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
12/8/2020 | 12:19:22 AM
Tough week for Microsoft
Nasty remote code execution...https://github.com/oskarsve/ms-teams-rce

Hppy to see the industry's sense of humor persists. Kudos @oskarsve...  "At least now we have a new joke between colleagues - whenever we get a remote code execution (RCE) bug, we call it "Important, Spoofing". Thanks Microsoft! 😂 "
User Rank: Apprentice
12/8/2020 | 9:19:10 AM
Proposed mitigation
I think the mitigation discussed (DMARC) would've been more complete if a link or a contact was provided on who/how to set up DMARC with the behemoth that is Microsoft.  If anybody has that, it would be helpful.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.