A sophisticated new phishing campaign has been discovered that exploits Microsoft 365’s legitimate infrastructure to conduct highly convincing credential harvesting and account takeover attempts.
Unlike traditional phishing attempts that rely on lookalike domains or email spoofing, this attack leverages Microsoft’s own trusted systems to bypass security controls and deceive users.
The attack utilizes Microsoft’s legitimate service-generated emails with valid authentication markers (SPF, DKIM, DMARC), making it significantly more difficult for both technical controls and human recipients to detect.
By manipulating tenant properties and organization display names within Microsoft 365, attackers can embed phishing content directly within trusted Microsoft communications.
Guardz Security researchers identified that adversaries establish control over multiple Microsoft 365 organization tenants, either by registering new ones or compromising existing ones.
Each tenant plays a strategic role in the attack chain, with some facilitating fraudulent activities, others used for brand impersonation, and some functioning as covert relay points.
The most alarming aspect of this attack is how it exploits Microsoft’s own billing notification system. When a subscription event is triggered, Microsoft automatically sends confirmation emails that incorporate the organization’s display name.
Attackers manipulate this field to include fraudulent messages like: “(Microsoft Corporation) Your subscription has been successfully purchased for 689.89 USD using your checking account.
If you did not authorize this transaction, please call 1(888) 651-4716 to request a refund.”
Attack Process
The attack begins with threat actors creating administrative accounts under “*.onmicrosoft.com” domains to reduce visibility.
.webp)
They then configure organization name fields with complete phishing messages that urge victims to call fraudulent support numbers.
When legitimate Microsoft billing events are triggered, the system generates emails carrying these malicious messages.
Examination of the email headers reveals how attackers leverage Microsoft’s mail infrastructure:-
From: Microsoft
Date: Mon, 24 Feb 2025 11:46:31 +0000
Subject: Microsoft subscription purchase confirmation
Message-ID:
Return-Path: [email protected].webp)
What makes this attack particularly dangerous is that traditional email authentication mechanisms cannot detect it since emails originate from legitimate Microsoft domains and pass all standard email security checks, directing victims to voice-based scams where fewer security controls exist.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
