Cybercriminals are increasingly weaponizing legitimate Microsoft infrastructure to bypass security filters and trick users into falling for Telephone-Oriented Attack Delivery (TOAD) scams.
By abusing the default .onmicrosoft.com When domains are assigned to Azure tenants, attackers send malicious invites that appear to originate from trusted Microsoft addresses.
The attack vector is deceptively simple yet highly effective. An attacker sets up a controlled tenant and sends Microsoft Invites to potential victims.
Jay Kerai observed that threat actors, rather than relying on a malicious attachment, fill the “Message” field of the invite with social-engineering lures. These messages typically urge the recipient to call a fraudulent support number to resolve a billing issue or confirm a subscription.
Because these invites are routed through legitimate Microsoft infrastructure, they possess a high domain reputation. This allows them to bypass many standard email gateways that would instantly flag a similar message coming from an unknown server.
While Microsoft Defender for Office 365 (MDO) often flags these attempts as high-confidence phishing, relying solely on automated detection is risky. Furthermore, security teams attempting to mitigate this by configuring Entra External Identity to restrict B2B access will find the measure ineffective against this specific technique.
The attack does not require the victim to accept the invite or authenticate; the malicious payload is delivered visibly in the body of the email notification itself. Once the email lands in the inbox, the damage is done.
To neutralize this threat, security administrators are advised to configure a specific Exchange Transport Rule. However, simply blocking the domain is not feasible, as it would disrupt legitimate administrative traffic.
Instead, administrators must use Regular Expressions (Regex) to target the specific pattern used in these attacks without blocking admins on a Microsoft Online Email Routing Address (MOERA).
Security researchers recommend applying the following Regex to inspect the message body:
textDomain:s+([A-Za-z0-9]+).onmicrosoft.com
Implementing this rule requires caution. Some legitimate contractors or small vendors operating their own tenants may not have configured a custom primary domain, relying instead on the default .onmicrosoft.com address.
Security teams should audit their traffic prior to enforcement. If legitimate partners are detected using the default domain, organizations will need to whitelist those specific senders or request that the contractors update their primary domain to a custom-branded one to ensure uninterrupted communication.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
