7 Attacks Where Phishers Abused Legitimate Microsoft Services


In a recent blog post, I discussed two email campaigns where attackers used Microsoft to steal recipients’ credentials. The threat actor(s) behind those attacks merely impersonated the tech giant by creating fake login pages designed to impersonate OneDrive and other legitimate Microsoft services. But others actually leveraged those services as part of their phishing attacks.

Provided below are seven such campaigns from the past couple of years.

Azure Blob Storage Misused in Two Phishing Campaigns

Back in April 2019, software security firm EdgeWave detected one campaign in which malicious actors sent emails to users notifying them that their Office 365 account information was outdated. The attack email prompted recipients to click on an “Update account information” button that redirected them to a customized login page for Outlook Web App. Not long afterward, the security firm detected another attack campaign that sent out fake Workplace by Facebook notification emails. The messages attempted to trick recipients into clicking on a “View More Posts” button so that they could redirect users to an Office 365 phishing site.

Azure Custom Name Registrations Used to Host Phishing Sites

It was that same month when Zix | AppRiver detected a “living-off-the-land” attack where malicious actors sent phishing emails from Microsoft’s servers. Those individuals responsible for the attacks also used Microsoft’s servers—web.core.windows.net, blob.core.windows.net, and azurewebsites.net, in particular—to host their phishing sites. In examining some of those sites, Zix | AppRiver found one attack that exposed approximately 250 user credentials and geolocation details to the web. The second attack involved threat actors embedding malicious links for that information into email attachments.

Microsoft Office Surveys Abused for Staging Email Attacks

In the summer of 2019, Zix | AppRiver detected several instances of attackers using Microsoft’s Excel and Forms templates to create phishing attacks. All they needed to do was create a survey corresponding to their scam email. They could then use that survey to try to steal recipients’ email addresses and passwords and/or other pieces of personally identifiable information. One such attack linked to a human resources survey, for instance, while another leveraged an education article link. Both phishing sites used onedrive.live for hosting purposes.

Malware Hosted by Microsoft Azure

Around that same time, Zix | AppRiver found that threat actors had escalated their attacks to host malware on Microsoft’s Azure service. Its researchers also observed that digital attackers were using the service as their command and control (C&C) infrastructure for their malware.

Office 365 Phishing Attack Abuses Microsoft Sway

In April 2020, security researchers spotted a “PerSwaysion” attack campaign when they analyzed a phishing email from a victim’s external business partner. The attack email delivered a PDF file attachment that masqueraded as an Office 365 file sharing notification. If clicked, the file redirected victims to another file hosted on Microsoft Sway, a presentation platform included in Microsoft Office. The page informed the recipient that the sender had shared a document on behalf of the company, according to Threatpost, and it asked them to click on a “Get Started” button. The link redirected victims to a fake Microsoft Single Sign On (SSO) page for Outlook designed to steal their data.

Trio of Cloud Services Abused in Phishing Operation

Several months later, Bleeping Computer came across another phishing campaign that claimed to have originated from a help desk called “servicedesk.com.” The attack emails used that domain to imitate a legitimate “quarantined mail” notification asking recipients to “release” messages stuck in the queue. They came with an embedded link that, when clicked, redirected recipients to phishing landing pages hosted on IBM Cloud, Microsoft Azure, and Microsoft Dynamics.

Microsoft’s Anti-Phishing Feature Abused for Phishing Attempts

It was about a year later when malicious actors exploited a custom login feature intended to protect enterprise users against phishing attempts. According to VentureBeat, malicious actors seized on that feature to conduct automated phishing attacks.

Defending Against Phishing Attacks that Misuse Microsoft

The attacks discussed above highlight the need for organizations to augment their email security posture with a layered security approach. Organizations can improve their security posture by deploying an email security solution that’s capable of scanning incoming email messages for campaign patterns, malware signatures, and other threat indicators—all while allowing legitimate correspondence to reach its intended destination. Osterman Research has determined that around two thirds of organizations are not yet taking this approach with their email environment and are relying solely on Microsoft solutions for security, a big risk due to the number of times Microsoft is targeted and abused.

Learn more about what a layered security solution looks like for your email, and how you can leverage the help of email security experts to break the cyber threat cycle and defend against email attacks using Microsoft’s services for malicious purposes.