TR-94 - Ongoing Phishing Campaigns Targeting Microsoft 365 Tenants Lacking Multi-Factor Authentication

TR-94 - Ongoing Phishing Campaigns Targeting Microsoft 365 Tenants Lacking Multi-Factor Authentication

Back to Publications and Presentations

  1. Executive Summary
  2. Attack Vector and Methodology
  3. Observed Activity / Indicators of Compromise (IoCs)
  4. Impact
  5. Mitigation / Recommendations
  6. Conclusion
  7. 8. References (Optional)
  8. Significance for Luxembourg
  9. Classification of this document
  10. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Executive Summary

This report details ongoing phishing campaigns specifically targeting organisations utilizing Microsoft 365, with a primary focus on Office 365 tenants where Multi-Factor Authentication (MFA) is not enforced. Attackers leverage sophisticated social engineering tactics and convincing phishing pages to harvest user credentials. Successful compromise of accounts without MFA allows attackers immediate access, leading to potential data exfiltration, business email compromise (BEC), internal spear-phishing, and deployment of further malicious payloads. This report outlines the attack methodology, observed indicators, potential impact, and critical mitigation strategies, emphasizing the urgent need for MFA deployment.

Attack Vector and Methodology

The primary attack vector is phishing emails, often crafted to bypass standard email security filters. The methodology typically follows these stages:

  1. Reconnaissance (Optional but Common): Attackers may gather information about target organisations, including employee names, roles, and M365 usage, often from public sources like LinkedIn or company websites or just MX lookup on the targeted domain.
  2. Lure / Phishing Email:
    • Themes: Common lures include fake security alerts (e.g., “Unusual sign-in activity,” “Password expiry”), notifications about shared documents, voicemail notifications, storage quota warnings, or urgent requests from “IT support” or “management.”
    • Sender Spoofing: Attackers may spoof internal email addresses, trusted third-party services, or Microsoft itself.
    • Content: Emails often contain urgent calls to action, instructing the recipient to click a link to verify their account, view a document, or prevent account suspension.
  3. Phishing Page:
    • The link in the phishing email redirects the victim to a fake Microsoft 365 login page.
    • These pages are often pixel-perfect replicas of the legitimate Microsoft login portal, making them difficult for untrained users to distinguish.
    • Domains used for phishing pages are often typosquatted versions of legitimate domains or hosted on compromised websites.
  4. Credential Harvesting:
    • The victim enters their M365 username and password into the fake login page.
    • These credentials are then captured by the attacker.
  5. Account Access & Exploitation (No MFA):
    • Since MFA is not enabled, the attacker can immediately use the harvested credentials to log into the victim’s M365 account.
    • Common post-compromise activities include:
      • Email Reconnaissance: Searching for sensitive information within emails and attachments.
      • Setting up Mail Forwarding/Redirection Rules: To silently exfiltrate incoming emails or monitor communications.
      • Business Email Compromise (BEC): Sending fraudulent emails from the compromised account (e.g., requesting wire transfers, changing payment details).
      • Internal Spear-Phishing: Using the compromised account to send phishing emails to other employees or trusted contacts, leveraging the inherent trust.
      • Data Exfiltration: Accessing and downloading files from OneDrive, SharePoint, and Teams.
      • Further Compromise: Planting malware or attempting lateral movement (less common in pure credential phishing but possible).

Observed Activity / Indicators of Compromise (IoCs)

Organisations should monitor for the following indicators:

Email-based IoCs:

  • Emails with urgent subject lines or calls to action related to account security or document access.
  • Sender addresses that are slight variations of legitimate Microsoft or internal domains (e.g., microsft.com, micosoftonline.com, company-support.com).
  • Poor grammar or unusual phrasing in email content.
  • Hyperlinks that, when hovered over, reveal URLs not associated with Microsoft or the organisation.
  • Emails requesting direct credential entry on a linked page.

Login and Account Activity IoCs (within M365 Audit Logs):

  • Logins from unusual or geographically improbable IP addresses or countries.
  • Multiple failed login attempts from an IP followed by a successful login.
  • Logins using legacy authentication protocols (if not explicitly blocked).
  • Creation of unexpected mail forwarding rules or inbox rules (especially those that delete or move messages).
  • Changes to account recovery information (e.g., phone number, alternate email).
  • Unexpected sharing of files or folders from OneDrive or SharePoint.
  • Mass deletion of emails or files.
  • Sent items containing phishing emails or suspicious replies from the compromised account. We advise to closely monitor notification from partners receiving phishing emails from your domain name and existing Office365 accounts.

Network IoCs:

  • DNS lookups to known phishing domains or newly registered domains.
  • Outbound connections to suspicious IP addresses from user workstations after potential credential entry.

Impact

Successful exploitation of M365 accounts without MFA can lead to severe consequences:

  • Data Breach: Unauthorized access to sensitive company data, customer information (PII), financial records, and intellectual property stored in emails, OneDrive, and SharePoint.
  • Financial Loss: Through BEC attacks, invoice fraud, or unauthorized wire transfers.
  • Reputational Damage: Loss of customer trust and damage to the organisation’s brand.
  • Operational Disruption: Interruption of business processes due to account lockout, data deletion, or system compromise.
  • Compliance Violations: Potential breaches of data protection regulations (e.g., GDPR, HIPAA) leading to fines and legal action.
  • Further Compromise: The compromised M365 account can be used as a launchpad for further attacks against internal systems or external partners.

Mitigation / Recommendations

The most critical mitigation is the enforcement of Multi-Factor Authentication.

Immediate and Essential Actions:

  • Enforce MFA:
    • Prioritize enabling and enforcing MFA for ALL M365 accounts, especially administrative accounts. Use strong MFA methods like authenticator apps (e.g., Microsoft Authenticator) or FIDO2 security keys. Avoid SMS-based MFA if possible due to susceptibility to SIM swapping.
    • Utilize Microsoft Entra ID (formerly Azure AD) Conditional Access policies to enforce MFA based on risk, location, or device compliance.
  • User Training and Awareness:
    • Conduct regular phishing awareness training for all employees.
    • Train users to identify suspicious emails, verify sender addresses, and scrutinize URLs before clicking.
    • Establish a clear procedure for reporting suspected phishing emails.

Technical Controls and Best Practices:

  • Disable Legacy Authentication: Protocols like POP3, IMAP, SMTP AUTH are often targeted as they may bypass MFA. Block legacy authentication protocols via Conditional Access policies or per-protocol settings.
  • Review and Harden M365 Security Settings:
    • Regularly review M365 audit logs for suspicious activities.
    • Configure alerts for critical events (e.g., suspicious sign-ins, creation of mail forwarding rules).
    • Implement M365 Advanced Threat Protection (ATP) / Microsoft Defender for Office 365 for enhanced email filtering and link protection (Safe Links, Safe Attachments).
  • Password Policies: Enforce strong, unique passwords for all accounts. Encourage the use of password managers.
  • Email Security Gateways: Utilize robust email security solutions with anti-phishing capabilities.
  • Implement DMARC, DKIM, and SPF: To help prevent email spoofing of your domain.
  • Principle of Least Privilege: Ensure users and administrators only have the permissions necessary for their roles. Regularly review privileged accounts.
  • Incident Response Plan: Have a well-defined incident response plan for handling compromised accounts and data breaches. This should include steps for isolating affected accounts, investigating the breach, and remediation.

Conclusion

Phishing attacks targeting Microsoft 365 tenants remain a persistent and evolving threat. Microsoft is still not enforcing by default the multi-factor authentication. Organisations that have not implemented Multi-Factor Authentication are at significantly higher risk of account compromise, leading to potentially devastating consequences. The immediate enforcement of MFA, coupled with robust security practices and ongoing user education, is paramount to defending against these attacks and safeguarding organisational assets. Ignoring this critical security layer is no longer an option in the current threat landscape.

8. References (Optional)

Significance for Luxembourg

We observed more than 48 organisations with M365 account compromised in the past 7 days starting from 21st May 2025.

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:CLEAR - First version - 21st May 2025