A KnowBe4 Menace Lab Publication
Authors: By James Dyer, Menace Intelligence Lead at KnowBe4 and Lucy Gee, Cybersecurity Menace Researcher at KnowBe4
On March 3, 2025, the KnowBe4 Menace Labs staff noticed an enormous inflow of phishing assaults originating from respectable Microsoft domains.
KnowBe4 Defend detected exercise beginning on February twenty fourth, with a peak on March third, when 7,000 assaults from microsoft-noreply@microsoft.com had been recorded inside a 30-minute window.
To hold out this assault, risk actors arrange mail routing guidelines that mechanically forwarded respectable Microsoft invoices to recipients, utilizing subtle strategies to incorporate their payload while sustaining authentication integrity (together with passing DMARC).
This spike comes amid an increase within the exploitation of trusted platforms like DocuSign, PayPal, Google Drive, and Salesforce for phishing emails. Notably, by leveraging Microsoft, cybercriminals are growing the deliverability and legitimacy of their assaults, making detection and prevention more difficult for each customers and safety methods.
Whereas we noticed a surge of those assaults inside a 30-minute window, this was possible attributable to a delay in Microsoft processing the excessive quantity of emails. Nevertheless, the assault possible continued for hours on today, affecting hundreds of people outdoors our buyer base.
Fast Assault Abstract:
All assaults analyzed on this marketing campaign had been recognized and neutralized by KnowBe4 Defend and analyzed by our Menace Labs staff.
Vector and Kind: E mail phishing
Strategies: Social engineering and bonafide model hijacking
Targets: World Microsoft Clients
On this assault, cybercriminals hijacked a respectable Microsoft bill and used mail movement guidelines to auto-forward it to hundreds of recipients. By organising their very own Microsoft area, the attackers ensured the emails handed authentication protocols. They then embedded a faux group identify as their very own, which appeared within the physique of the e-mail, to socially engineer the sufferer to name the quantity current in that ‘identify’. Apart from this the assaults had no different payload and all hyperlinks current are respectable.
Assault Instance:
Under is an instance of an assault detected as a part of this marketing campaign, despatched from microsoft-noreply@microsoft.com. As the e-mail has been despatched from a respectable Microsoft area, the assault has handed normal authentication checks reminiscent of SPF, DKIM and DMARC, relied upon by conventional safety applied sciences reminiscent of Microsoft365 and safe e-mail gateways (SEGs).
Screenshot of a phishing assault leveraging Microsoft’s respectable area with KnowBe4 Defend anti-phishing banners utilized
Taking a deeper look into the physique of the assault, it particulars a subscription buy bill, the place the attacker has genuinely bought a Microsoft product (Defender for Workplace 365), full with an order quantity and variety of licenses. This a part of the e-mail is fully respectable and all hyperlinks direct recipients to Microsoft.com.
The malicious content material of the e-mail is positioned underneath “Account Data.” The “account identify” is definitely the malicious payload. The e-mail claims {that a} subscription has been efficiently bought, itemizing a greenback quantity of $689.89 USD. This value is notably excessive contemplating the variety of licenses supposedly bought, which is prone to immediate recipients to query the order and name the offered quantity for a refund if they didn’t authorize the transaction.
It’s value noting that usually Microsoft doesn’t supply telephone help as a contact methodology offered by e-mail. As an alternative, they direct customers to a web based chat for help and clearly state on their web site that if additional escalation is required, they are going to request the person’s telephone quantity and provoke the decision themselves.
If the recipient calls the telephone quantity, our staff suspects the cybercriminal would impersonate a Microsoft help consultant and try to steal delicate data reminiscent of financial institution particulars or credentials. Alternatively, they may use the decision to trace lively e-mail addresses and telephone numbers. This additionally gives the chance to shift the assault from a safer work machine to a much less protected cell machine.
How Have Attackers Hijacked Microsoft?
Our Menace Labs staff has investigated how the attacker has executed this subtle assault that exploits Microsoft’s infrastructure to efficiently ship phishing emails.
Firstly, the attacker has created a respectable tenancy on Microsoft. Throughout setup, Microsoft permits customers to outline their group’s identify. On this case, they’ve named their group “Your subscription has been efficiently bought for 689.89 USD utilizing your checking account. In the event you didn’t authorize this transaction, please name [phone number] to request a refund.”
This ensures the socially engineered payload is embedded in all outgoing emails with out the attacker needing to change the content material throughout transit, which might break authentication. Because of this, the assault bypasses conventional options that depend on intact authentication protocols (that guarantee the e-mail has not been tampered with mid-transit and originates from a respectable sender).
Subsequent the attacker has arrange mailflow guidelines on their area to mechanically ahead emails acquired by Microsoft to an inventory of customers.
Our Menace Labs staff discovered that Microsoft permits as much as 300 mailflow guidelines with a company’s tenancy, with every rule able to forwarding to over 1,000 recipients. That is the place the attacker populates its victims e-mail addresses.
The attacker then bought 10 Microsoft Defender for Workplace 365 (Plan 2) School. This triggers a respectable affirmation e-mail from Microsoft, which is immediately forwarded to all recipients specified within the mailflow guidelines.
Mitigating Superior Threats with Human Danger Administration
The mixture of strategies on this assault—hijacking a respectable area with out breaking authentication, altering mail movement guidelines to ship mass assaults, and utilizing social engineering to maneuver the assault from work units to cell—demonstrates a particularly subtle method. This highlights the lengths to which cybercriminals are keen to go to realize their goals.
To successfully fight these threats, it is essential to pair well timed person schooling and training with clever anti-phishing options. Whereas educating customers on the risks of phishing and spot suspicious messages is crucial, superior technological defenses, reminiscent of machine studying and AI-powered detection, play a important position in figuring out and neutralizing these threats. Collectively, these methods kind a complete protection that may higher shield people and organizations from subtle phishing assaults.
How Defend Detected the Assault
onmicrosoft.com Area: When organizations register for Microsoft 365 providers, Microsoft assigns them a default area within the format “organization-name.onmicrosoft.com.” This area is principally used for inner administration of providers and person accounts throughout the Microsoft 365 setting.
On this assault, the malicious emails had been despatched to a particular tackle (e.g., our-company@) concentrating on a number of Microsoft tenancies. Nevertheless, as an alternative of utilizing the group’s public area, the “to” addresses ended with “.onmicrosoft.com.” This mismatch is a key knowledge level that Defend can determine and flag.
Mismatch of “To” Deal with vs. RSec Deal with: The “to” tackle in these emails might be a shared mailbox, whereas the recipient (“R-to”) might be an inventory of each particular person inside that shared mailbox. This might additionally apply to distribution lists or common addresses like all@firm.com. Defend was capable of detect the discrepancy between these addresses and spotlight it as malicious.
Discrepancy Between “To” Deal with and Area within the Physique: The “to” tackle was inconsistent with the area quoted within the e-mail physique.
Linguistic Anomaly
The request for the client to name a quantity was atypical for Microsoft communications, elevating a crimson flag. This uncommon language was one other indicator that the e-mail was malicious.
