How did Microsoft 365 email phishing attack affect users?
A large-scale, well-organised email spoofing campaign targeted 200 million Microsoft 365 users particularly in the financial services, health care, insurance, manufacturing, utilities and telecom sectors.
The cybercriminals were leveraging a domain spoofing technique to create emails that mimic supposedly legitimate Microsoft.com addresses (i.e. firstname.lastname@example.org). According to Ironscale’s VP of R&D Lomy Ovadia, “the attack is comprised of a realistic-looking email that attempts to persuade users to take advantage of a relatively new Office 365 capability that allows for them to reclaim emails that have been accidentally marked as spam or phishing messages.”
Once the recipients click on the link in the email copy promising to take them to a secure portal where they can review and act on the so-called ‘quarantine messages’, they will be asked to enter their legitimate Microsoft credentials on a fake authentication page which will, consequently, be harvested and most likely sold on the dark web.
Businesses keen on preventing such Microsoft 365 phishing attacks – and all attacks in general – are advised to ensure their defences by configuring email authentication protocols, such as DMARC, built precisely to block domain spoofing.