Summary:
Guardz researchers have identified a sophisticated phishing campaign that bypasses traditional email security controls by abusing the inherent trust of Microsoft 365 infrastructure. These attackers are exploiting legitimate Microsoft domains and misconfigured tenants to conduct Business Email Compromise (BEC) attacks aimed at credential harvesting and account takeover. This novel technique bypasses traditional email security controls by operating entirely within the Microsoft ecosystem. The attack chain involves adversaries gaining control of multiple Microsoft 365 tenants, creating administrative accounts, and manipulating tenant organization names to embed phishing lures within legitimate Microsoft service-generated emails, specifically billing notifications triggered by initiating purchases. This method leverages Microsoft's trusted email domain and digital signatures, to deliver highly deceptive phishing content to users' email inboxes, urging them to call fraudulent support numbers for socially engineered vishing attacks that lead to malware installation or data theft.

Security Officer Comments:
The exploitation of trusted infrastructure like Microsoft 365 signifies a move beyond traditional methods like domain spoofing. Attackers are strategically exploiting the inherent trust users place in one of the most well-known platforms and the security mechanisms designed to validate them. The multi-tenant approach either by registering new tenants or compromising existing ones demonstrates a degree of sophistication, allowing attackers to specialize each tenant in their operations to further obfuscate their activities. To make their phishing attempts appear more genuine, the attackers modify the second Microsoft 365 tenant's displayed organization name to include a deceptive message that looks like a real Microsoft transaction alert. They take advantage of the standard tenant display name functionality within Microsoft 365.

The reliance on social engineering through fraudulent support numbers, rather than direct malicious links in the email body, further enhances the campaign's effectiveness by guiding victims through a seemingly legitimate interaction. A layered security approach, combined with user awareness training that specifically addresses the potential for phishing within trusted platforms and service notifications, is paramount for detection and prevention. Continuous monitoring of tenant configurations and any unusual activity within the Microsoft 365 environment will also be essential in mitigating these advanced threats.

Suggested Corrections:
According to Guardz:
This attack presents unique challenges for detection:

• Traditional email authentication (DKIM, SPF, DMARC) cannot detect it
• The sending domain is legitimately Microsoft[.]com
• Content filtering may miss the scam content in organization metadata
• The email passes through legitimate Microsoft infrastructure

Protecting against this attack vector:

• Enhanced email analysis: Implement content inspection that analyzes organization fields and metadata; check return-path headers (e.g., suspicious paths like )
  bounces+SRS=**@*.onmicrosoft.com
• User awareness: Train users with phishing awareness to recognize suspicious elements and think twice before phoning an unverified number.
• Phone verification: validate official support numbers rather than calling those in emails; reference Microsoft’s official directory: https://support.microsoft.com/en-us/topic/customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2
• Be aware of unknown .onmicrosoft.com domains: Be suspicious of communications from unfamiliar .onmicrosoft.com domains / newly created tenants.

Link(s):
https://guardz.com/blog/sophisticated-phishing-campaign-exploiting-microsoft-365-infrastructure/