Phishing Campaign Targets 200M Microsoft 365 Accounts

Update 12/11/2020: This story has been updated to include Microsoft's statement regarding the attack.

A large-scale phishing campaign is targeting 200 million Microsoft 365 users around the world, particularly within the financial services, healthcare, insurance, manufacturing, utilities, and telecom sectors, Ironscales researchers report.

The attackers leverage a domain spoofing technique to create emails that appear to come from Microsoft Outlook ([email protected]). These emails attempt to use urgent language to trick people into using a new Microsoft 365 capability that lets account holders reclaim emails accidentally flagged as phishing or spam.

A link within the email promises to redirect readers to a security portal so they can review and act on so-called "quarantine messages" deemed suspicious by the Exchange Online Protection (EOP) filtering stack, researchers explain in a blog post. Victims who click the link will be asked to enter their Microsoft login credentials on a fake authentication page.

While impersonating the exact name and domain of a specific sender is technically more complex than other spoofing attacks, researchers warn this remains a common phishing tactic that even attentive security-savvy employees are likely to overlook if it arrives in their inbox.

"To the naked eye, the most suspicious element of this attack would be the sense of urgency to view the quarantined messages or the unusualness of receiving this type of email solicitation," researchers note.

Organizations keen to mitigate their risk for this type of attack are advised to ensure their defenses are configured for Domain-based Message Authentication, Reporting, and Compliance (DMARC), an email authentication protocol built to block exact domain spoofing. In its report, researchers say Microsoft is not currently enforcing the DMARC protocol, meaning domain spoofing messages are not being rejected by gateway controls. 

In a statement, Microsoft says its platform has the capability to block these types of emails; however, it's up to customers to ensure they have the proper controls enabled.

"Contrary to claims in the third party report, Office 365 has rich in-built controls to block domain spoofing emails and enforces DMARC checks," a Microsoft spokesperson says. "We encourage all customers to make sure they have deployed the latest security controls in Office 365, enabled multi-factor authentication for Office 365, and train their end users to observe caution when clicking on links from unknown senders." 

Microsoft 365 continues to be a popular target for cybercriminals, from attackers with little experience to advanced persistent threat (APT) groups following enterprise victims to the cloud. Some of these groups target businesses to steal information or gain additional access; some will target one corporation with the goal of eventually breaching another. Most of these advanced attackers seek long-term access that will let them dwell in an environment for years.

Some APT groups might acquire administrator credentials to breach a target Microsoft 365 environment; others might exploit flaws in how the platform validates configuration changes. Unskilled attackers might use business email compromise attacks to infiltrate a target organization's Microsoft account.

Campaigns like the one Ironscales detected underscore cybercriminals' ability to develop increasingly subtle attacks. Research released from Vectra in October found attackers are widely using Microsoft 365 accounts to move laterally to other users and accounts within a target organizations to carry out command-and-control communications and other activities.

The Vectra study found lateral movement on 96% of Microsoft 365 customer accounts sampled. With 71% of the accounts, they noticed suspicious activity using Power Automate, a capability built into the platform, and 56% of accounts revealed similarly suspicious behavior using the eDiscovery tool in Microsoft 365.