Security researchers at Guardz have warned of new malicious campaigns that abuse Microsoft 365 for phishing , or target the service’s users to take over their accounts.
As part of one campaign, malicious actors are leveraging legitimate Microsoft domains and tenant misconfigurations in BEC attacks likely aimed at stealing credentials and performing account takeover (ATO).
According to the researchers, this attack exploits genuine Microsoft services to fashion a trusted delivery mechanism for phishing content, making it tricky for technical controls and security practitioners to detect.
Operating Within Microsoft’s Ecosystem
Unlike conventional phishing, which depends on fake domains crafted to appear like the genuine article, or email spoofing, this method operates entirely within Microsoft’s ecosystem, slipping past security measures and user scepticism by exploiting native M365 infrastructure to drop phishing lures that seem authentic and blend in invisibly.
The malicious actors were seen controlling multiple Microsoft 365 organization tenants (either new or compromised), creating administrative accounts, crafting misleading full-text messages aping Microsoft transaction notifications, initiating a purchase or trial subscription event to generate a billing email, and then sending phishing emails using Microsoft’s infrastructure.
By tweaking entity’s names and relying on a trusted communication channel to deliver phishing emails containing fake support contact numbers, the attackers instructed victims to interact with a call center, moving the communication to voice, where fewer security controls apply.
“By exploiting the inherent trust in Microsoft’s cloud services, this phishing campaign is significantly more challenging for security teams to detect and mitigate, evading domain reputation analysis, DMARC enforcement, and anti-spoofing mechanisms,” said Dor Eisner cofounder and CEO at Guardz.
Implement Multi-Layered Messaging Protection
J Stephen Kowski, Field CTO at SlashNext, advises security teams to immediately implement multi-layered messaging protection that goes beyond traditional email security controls, as sophisticated attacks like these exploit legitimate Microsoft infrastructure to bypass standard defenses.
“Enable advanced phishing protection that can detect tenant manipulation and organizational profile spoofing, while implementing real-time scanning technology that can identify and remediate threats even after delivery to inboxes. Don’t rely solely on native Microsoft 365 protections—deploy solutions that can analyze communication patterns, detect suspicious behavior across multiple channels, and automatically remove malicious content from all affected user inboxes.”
Kowski says there shouldn’t be inherent trust in any cloud service, as this mindset creates dangerous security gaps that sophisticated attackers readily exploit. “Organizations must adopt zero trust principles when using Microsoft 365, implementing continuous verification and least privilege access even for seemingly legitimate communications from trusted domains. Advanced protection solutions that analyze behavioral patterns, inspect email content for manipulation, and provide real-time threat intelligence are essential to combat attacks that leverage legitimate infrastructure to appear trustworthy.”
Limit Administrative Access
“With this attack, the caller is coming from inside the house to use a movie metaphor,” adds Rom Carmel, Co-Founder and CEO at Apono. “By weaponizing Microsoft 365’s own infrastructure to bypass traditional phishing defenses, this demonstrates that enterprises need to do more to protect themselves. With Just-in-Time (JIT) permissions, organizations can limit administrative access to only when it’s needed, reducing the risk of attackers creating rogue accounts or modifying tenant settings.”
Use ML-Powered Tools
Despite increased focus on cybersecurity awareness training and email security, organizations and their employees continue to be plagued by successful phishing attempts, including business email compromise (BEC), comments Nicole Carignan, Senior Vice President, Security & AI Strategy, and Field CISO at Darktrace. “As noted in our Half-Year Threat Report 2024, between December 2023 and July 2024, Darktrace detected 17.8 million phishing emails across our customer fleet.”
She says many tools used by entities today depend on historical attack data to identify and stop known email threats from re-entering inboxes, but this approach often fails to recognize new or unknown threats. “As the sophistication of phishing attacks continue to grow, organizations cannot rely on employees to be the last line of defense against these attacks. Instead, organizations must use machine learning-powered tools that can understand how their employees interact with their inboxes and build a profile of what activity is normal for users, including their relationships, tone and sentiment, content, when and how they follow or share links, etc. Only then can they accurately recognize suspicious activity that may indicate an attack or BEC.”
Enforce MFA
Bad actors are finding new ways to exploit trusted platforms like Microsoft 365, using compromised or newly created tenants to send phishing emails that appear genuine, adds Patrick Tiquet, Vice President, Security & Architecture at Keeper Security. “By manipulating billing notifications and moving victims to phone-based scams, attackers are bypassing traditional email security measures and making these threats harder for organizations to detect.”
Tiquet advises a layered security approach. “Enforcing Multi-Factor Authentication (MFA) is essential for preventing account takeovers, and security teams should actively monitor for unauthorized admin changes within Microsoft 365. Employees should also be trained to recognize suspicious billing emails and avoid engaging with unverified support contacts. Using a password manager helps prevent credential reuse, which limits the damage if an account is compromised. As phishing tactics evolve, businesses must stay ahead by combining strong authentication, security monitoring and user awareness training.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.