The cybersecurity company empowering MSPs to secure small businesses identified a highly sophisticated Microsoft 365 tenant brand manipulation and disrupted its use against their customers.
Guardz, the cybersecurity company empowering MSPs and IT professionals to deliver comprehensive, AI-native cyber protection for small businesses, today disclosed the findings of its research into a highly sophisticated, ongoing phishing campaign exploiting Microsoft 365’s trusted infrastructure to manipulate victims into calling a malicious threat actor call center and potentially facilitate credential harvesting and account takeover (ATO) attempts.
As email security defenses like secure email gateways (SEGs) and advanced threat protection mechanisms become more complex, cyber threat actors are continuously refining their evasion techniques to bypass even the most robust detection mechanisms. Evidencing this trend, Guardz identified, analyzed, and successfully disrupted a highly deceptive phishing campaign in use against its customers, highlighting how cyber attackers continue to evolve their techniques by manipulating legitimate infrastructure in novel ways.
The Guardz Research Unit (GRU) has determined the details of the attack method, which exploits legitimate Microsoft services to create a trusted delivery mechanism for phishing content, making it difficult for both technical controls and human recipients to detect it. By manipulating Microsoft 365 tenant properties and leveraging organizational profile spoofing to embed phishing payloads directly within legitimate emails, attackers are able to trick users into providing information under the cloak of legitimacy.
The attack flow involves numerous phases:
●Infrastructure Acquisition: Adversaries establish control over multiple Microsoft 365 organization tenants, either by registering new tenants or compromising existing ones. Each tenant plays a strategic role in the attack chain, allowing the threat actor to evade detection and manipulate trust mechanisms within the Microsoft 365 infrastructure. This can allow various attack functionalities, including exploiting legitimate payment and billing activity emails sent by Microsoft with phishing content.
●Technical Configuration: Once the control over Microsoft 365 tenants is established, the attacker can create administrative accounts using the default “*.onmicrosoft.com” domain. The key tactics include admin account creation, mail forwarding abuse, and anti-phishing evasion.
●Deception Preparation: To enhance the credibility of their phishing campaign, attackers configure the second tenant’s organization name with a misleading full-text message that mimics a legitimate Microsoft transaction notification. This tactic exploits Microsoft 365’s built-in tenant display name feature, which is reflected in various service-generated emails and interfaces, to inject a phishing lure directly into the email.
● Attack Execution: To maximize legitimacy and evade detection, the attacker initiates a purchase or trial subscription event within the first tenant. This action generates an authentic Microsoft-signed billing email, leveraging Microsoft’s infrastructure to deliver phishing content that appears completely legitimate. The attacker manipulates the organization display name in a second tenant, ensuring that the fraudulent message is embedded within a trusted communication channel. Because the emails leverage native M365 infrastructure and the sending domain is legitimately Microsoft.com, the phishing lures cannot be detected by SPF, DKIM, and DMARC.
●Technical Legitimization: By leveraging Microsoft’s legitimate email infrastructure, the attacker ensures that the phishing email passes through Microsoft’s servers without raising security alerts. Because the email originates from a trusted source, it is far more likely to reach the victim’s inbox without being flagged by security tools.
●Victim Engagement: Microsoft’s billing emails contain the organization name and fake support contact numbers, urging immediate victim interaction with a call center. This direct communication significantly enhances phishing effectiveness beyond traditional email-based methods.
“Our team at Guardz works tirelessly to secure small businesses, who are the backbone of the US economy and who threat actors are increasingly setting their sights on – and we’re proud to have identified and protected against this highly deceptive attack,” said Dor Eisner, CEO and Co-Founder of Guardz. “By exploiting the inherent trust in Microsoft’s cloud services, this phishing campaign is significantly more challenging for security teams to detect and mitigate, evading domain reputation analysis, DMARC enforcement, and anti-spoofing mechanisms. It’s an urgent reminder that as cyber defenders, we must focus not only on traditional indicators of compromise but also on how legitimate systems can be manipulated for malicious purposes.”
The Guardz unified security platform gives a unique edge in combating this type of threat. The company’s unified detection and response effectively mitigated the attack, while its security team informed affected customers and implemented enhanced detection mechanisms to prevent similar threats in the future.
To protect against this attack vector, Guardz recommends that businesses implement enhanced detection and response tools, starting with email analysis that includes advanced content inspection, user awareness training, phone verification validating official support numbers, and verification of unknown domains and newly created tenants.
To learn more about the phishing campaign and how Guardz protects against it, read the full blog post here.
__
About Guardz
Guardz provides MSPs and IT professionals with an AI-powered cybersecurity platform designed to secure and insure SMBs against cyberattacks. The Guardz platform offers automatic detection and response, protecting users, emails, devices, cloud directories, and data. By simplifying cybersecurity management, Guardz enables businesses to focus on growth without being bogged down by security complexities. The company’s scalable and cost-effective pricing model ensures comprehensive protection for all digital assets, facilitating rapid deployment and business expansion.
Ad
Join our LinkedIn group Information Security Community!
