Microsoft 365 Phishing

Microsoft 365 phishing attacks are inevitable due to the number of businesses that use the software package. According to Microsoft, more than 1 million businesses worldwide use Microsoft 365, with Microsoft reporting earlier in 2022 that it has surpassed 345 million users worldwide. That makes Microsoft 365 a big target. If a phishing campaign can be developed that bypasses Microsoft’s protections, a highly successful campaign can be conducted on all businesses that use Microsoft 365.

Microsoft 365 phishing attacks are conducted to steal Microsoft 365 credentials, allowing threat actors to gain access to accounts and obtain large volumes of sensitive data. These attacks also give threat actors a foothold in the network from where they can conduct a much more extensive compromise. Credentials stolen in attacks are often sold on hacking forums to other threat actors, including ransomware gangs. Microsoft 365 accounts contain a wealth of valuable and easily monetized data, and the email accounts can be used to conduct convincing phishing and business email compromise (BEC) attacks,

After gaining access to accounts, the attackers search through mailboxes looking for information about financial transactions, allowing them to create convincing emails to redirect upcoming payments to accounts under their control.  BEC attacks see transfers of hundreds of thousands or even millions of dollars made, with the scams often not detected until after the funds have been withdrawn. Attacks on Microsoft accounts can be extremely profitable.

Microsoft 365 Phishing Attacks Bypass MFA Protection

In the summer of 2019, Microsoft published a blog post that highlighted the importance of implementing multifactor authentication on accounts, stating that this easily implemented measure will block 99.9% of automated attacks on accounts. The number of businesses that have implemented multifactor authentication on their accounts is growing, and that has the potential to prevent phishing attacks from succeeding; however, recently phishing campaigns have been conducted that allow threat actors to bypass multifactor authentication.

These phishing campaigns look similar to many others, but this is an adversary-in-the-middle (AitM) phishing campaign that uses a reverse proxy in the backend infrastructure. The target’s email address is encoded in the URL of the phishing page, which is used to populate the login field on the phishing site. The user only needs to enter their password. The phishing pages pull the content from the genuine Microsoft login page in real time, so when the password is entered on the phishing page, it is automatically used to log in on the genuine Microsoft site. The phishing page also displays the multifactor authentication prompt in real-time, and when the login process is completed and the MFA is passed, the site captures the user’s session cookie, which allows the threat actor to access the genuine Microsoft 365 account without having to authenticate again. This is achieved using the Evilginx2 phishing toolkit. In some cases, once access was gained, a different method of authentication was established to allow the threat actor to continue to access the account when the session cookie expired or was revoked.

How to Improve Defenses Against Microsoft 365 Phishing Campaigns

Many Microsoft 365 phishing attacks are not capable of bypassing multifactor authentication, so it should be implemented, but steps should be taken to protect against the AitM attacks that do successfully bypass MFA. Microsoft recommends setting up conditional access policies that check for compliant devices and trusted IP addresses before completing the authentication process. It is also recommended to monitor for suspicious logins, such as unusual locations or ISPs.

Anti-Phishing Demo
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo

One of the most important measures to take to block Microsoft 365 phishing attacks is to ensure that you have robust anti-phishing controls in place. Microsoft offers a basic level of protection for email accounts through Exchange Online Protection (EOP) that includes connection filtering, anti-malware controls, policy filtering, and content filtering. EOP will block a high percentage of spam and phishing emails and all known malware; however, more advanced measures are needed to block sophisticated phishing attacks and zero-day malware.

The best defense is to implement a third-party solution to protect against sophisticated threats and to layer that solution on top of EOP. With SpamTitan Cloud, it is easy to augment Microsoft’s native EOP protection and greatly improve your defenses against zero-day malware and advanced phishing threats. SpamTitan Cloud performs real-time analysis of emails, including a behavioral analysis of file attachments in a sandbox, with protection also provided against malicious links in emails. The solution also incorporates machine learning algorithms and uses heuristics and Bayesian analysis to predict novel phishing attempts.

It is also strongly recommended to provide training to the workforce to teach employees how to recognize and avoid Microsoft 365 phishing attempts, as phishing emails will occasionally be delivered to inboxes. Regular security awareness training coupled with phishing simulations has been proven to greatly reduce susceptibility to phishing attacks.
TitanHQ offers the SafeTitan security awareness training platform and phishing simulator. The platform includes an extensive library of interactive and enjoyable training content to help businesses turn their employees into security Titans, with the phishing simulation platform including hundreds of phishing templates taken from real-world attacks. SafeTitan is the only behavior-driven security awareness training platform that delivers intervention training in real-time

For more information on improving your defenses against Microsoft 365 phishing attacks, contact TitanHQ today.