open_in_newOriginal article
Microsoft 365 Targeted in New Phishing, Account Takeover Attacks

Microsoft 365 Targeted in New Phishing, Account Takeover Attacks

  • 17.03.2025 13:40
  • securityweek.com
  • Keywords: Phishing, Account Takeover

Microsoft 365 is targeted by phishing and account takeovers through two campaigns. Attackers exploit legitimate domains, fake billing emails, and OAuth apps to steal credentials and impersonate Microsoft for attacks.

Microsoft ServicesMSFTsentiment_dissatisfiedADBEsentiment_dissatisfiedDOCUsentiment_dissatisfied

Estimated market influence

Microsoft

Microsoft

Negativesentiment_dissatisfied
Analyst rating: Strong buy

Targeted in phishing and account takeover attacks, compromising user trust and exposing sensitive data.

Guardz

Positivesentiment_satisfied
Analyst rating: N/A

Warns about the phishing campaign and explains its challenges for detection.

Proofpoint

Negativesentiment_dissatisfied
Analyst rating: N/A

Observed malicious campaigns using OAuth redirection and brand impersonation, leading to potential credential theft and malware distribution.

Adobe

Adobe

Negativesentiment_dissatisfied
Analyst rating: Buy

Their services were impersonated in phishing attacks, risking their brand's reputation and user trust.

Docusign

Docusign

Negativesentiment_dissatisfied
Analyst rating: Neutral

Impersonated in phishing campaigns, leading to potential unauthorized access and data breaches.

Context

Analysis and Summary: Microsoft 365 Targeted in Phishing and Account Takeover Attacks

Key Facts and Data Points:

  • Target: Microsoft 365 users and infrastructure

  • Attack Types:

    • Business Email Compromise (BEC) campaign
    • Account Takeover (ATO)
    • Phishing attacks using legitimate Microsoft domains

  • Campaign Details:

    • Attackers control multiple Microsoft 365 tenants (new or compromised).
    • Create administrative accounts and send phishing emails mimicking Microsoft transaction notifications.
    • Use voice communication to evade detection, bypassing traditional email security controls.
    • Exploit trusted communication channels and tenant misconfigurations.

  • Malicious OAuth Applications:

    • Three new OAuth applications impersonating Adobe services (Adobe Drive, Adobe Acrobat, Docusign).
    • Redirect users to phishing pages or malware-hosted websites.
    • Request permissions to access Microsoft 365 accounts, stealing credentials and personal data.

Market Implications:

  • Increased Cybersecurity Spending: Organizations using Microsoft 365 may increase investment in advanced threat detection and mitigation tools.
  • Shift to Voice-Based Phishing: Attackers are moving from email to voice-based communication, highlighting the need for enhanced security controls beyond traditional email filtering.
  • Brand Impersonation Risks: The use of trusted brands (e.g., Adobe) underscores the growing trend of brand impersonation in cyberattacks.

Competitive Dynamics:

  • Microsoft's Reputation at Stake: As a leading cloud provider, any vulnerabilities in Microsoft 365 could impact its market position and customer trust.
  • Pressure on Cloud Providers: Other cloud providers may face increased scrutiny to ensure their services are secure against similar attacks.
  • Focus on Detection Solutions: Companies offering advanced threat detection tools (e.g., Guardz, Proofpoint) may see heightened demand for their solutions.

Strategic Considerations:

  • Tenant Configuration Security: Organizations must review and secure Microsoft 365 tenant configurations to prevent unauthorized access.
  • Multi-Factor Authentication (MFA): Widespread adoption of MFA could mitigate risks associated with credential theft.
  • User Education: Training employees to recognize phishing attempts, especially those leveraging trusted communication channels.

Long-Term Effects:

  • Regulatory Impact: Potential new regulations or compliance requirements for securing cloud infrastructure and detecting malicious activities.
  • Shift to Zero-Trust Architecture: Organizations may adopt zero-trust models to reduce risks from internal and external threats.
  • Evolving Threat Landscape: The use of legitimate domains and trusted communication channels signals a shift in attack strategies, requiring continuous adaptation by defenders.

Conclusion:

The attacks on Microsoft 365 highlight critical vulnerabilities in cloud infrastructure and the need for enhanced security measures. Businesses must prioritize tenant configuration security, employee training, and advanced threat detection to mitigate risks. The long-term implications include increased cybersecurity spending, regulatory scrutiny, and a potential shift toward zero-trust architectures.