Microsoft 365 Phishing Attacks Growing in Sophistication

Highly sophisticated Microsoft 365 phishing attacks are now being conducted that attempt to steal credentials for accounts. If Microsoft 365 credentials are stolen, they are used to access accounts to steal highly sensitive business information, conduct business email compromise attacks, and gain initial access to networks for conducting ransomware attacks. While phishing campaigns were once easy to identify, many threat actors are investing more time into their campaigns and are crafting better documents for installing malware and writing high-quality lures that can fool even the most security-conscious employee.

The websites to which users are directed are well crafted, often including CAPTCHA challenges for added realism, and are almost identical to the real websites they spoof. Aside from the domain used, these websites can be very difficult to identify as malicious. The domains used for these scams are often believable, and certainly enough to fool many users. Threat actors also use algorithms for generating huge numbers of domains for their phishing campaigns, with each domain only used for a short time to avoid the emails falling afoul of blacklists of known malicious URLs that are fed into email security solutions.

Multifactor Authentication is Being Bypassed

One of the most important defenses against Microsoft 365 phishing attacks is to implement multifactor authentication on accounts. With multifactor authentication, in addition to a username and password, another level of authentication is required before access to the account is granted. Several campaigns have recently been identified that allow threat actors to bypass multifactor authentication.

These phishing attacks are a type of adversary-in-the-middle (AitM) attack, where the attacker inserts themselves into the genuine login process for M365 accounts, unbeknown to the victim. These attacks use one of several tools that use a reverse proxy server that sits between the phishing site and the genuine Microsoft site for which credentials are being harvested. When credentials are entered into the phishing site they are fed to the genuine site in real-time, and when the multifactor authentication is requested and the user enters the information, the session cookie is stolen. This allows multifactor authentication to be bypassed, as the session cookie confirms that authentication has been passed. While the cookies are valid, they will provide access to the Microsoft 365 account. The cookies can expire or be revoked, so some threat actors set up an additional multifactor authentication app that allows them to have persistent access to accounts.

Several tools are being offered on hacking forums for use in Microsoft 365 phishing campaigns that allow this, such as EvilProxy and Evilginx2. These tools are being used in response to the growing number of businesses that have implemented MFA on Microsoft 365 accounts. These campaigns have been used with a high degree of success in campaigns targeting senior executives, often to conduct business email compromise scams to hijack multi-million-dollar transactions; however, these advanced Microsoft 365 phishing attacks can be conducted on businesses of all sizes.

How to Protect Your Business from Advanced Microsoft 365 Phishing Attacks

There are several steps that businesses can take to improve their defenses against Microsoft 365 phishing attacks, from basic zero-cost measures to implementing advanced cybersecurity solutions. Some of the best techniques are listed below:

Set complex passwords for M365 accounts

Microsoft 365 accounts are attacked using brute force tactics to guess weak passwords. To prevent this, ensure a long and complex password is set that is at least 12 characters long. Consider using a password manager for suggesting complex passwords and securely storing them so they do not need to be remembered. Ensure that the password is unique to thwart credential stuffing attacks.

Ensure multifactor authentication is enabled

Sophisticated phishing attacks can bypass MFA, but many attacks do not have such capabilities. Ensure MFA is set up on accounts to prevent stolen credentials from being used to access accounts. It is more secure to use a physical device for authentication such as a Yubikey than to use one-time passwords. To prevent AitM phishing attacks you should use Azure AD Conditional Access and set specific rules for allowed risk levels, locations, device compliance, and other requirements, to prevent registration of new credentials by malicious actors. Where possible, use phishing-resistant credentials such as Windows Hello or FIDO, and monitor for suspicious login attempts, such as from unfamiliar IPs and locations.

Use an advanced anti-phishing solution

Microsoft’s Exchange Online Protection (EOP) is provided as standard with all M365 licenses, and while this solution is effective at reducing phishing attacks and blocking known malware, it is not sufficient to block more advanced Microsoft 365 phishing attacks. Augment EOP with a third-party anti-phishing solution that uses AI or machine learning capabilities for detecting novel phishing attacks, and email sandboxing for identifying zero-day malware. Choose a solution that augments rather than replaces EOP for maximum protection.

Use a DNS-based web filter

It can be difficult to identify malicious URLs in emails. Oftentimes users are redirected multiple times before they land on the phishing page, and many email security solutions do not follow all redirects. URLs may have no malicious content at the time of delivery to bypass email security solutions, then have malicious content added. A DNS-based web filter provides an extra layer of protection against the web-based component of phishing attacks, by providing time-of-click protection against malicious links. Web filters can also be used to block certain file downloads from the Internet and can detect malware communications that take place via the DNS.
Provide regular security awareness training to the workforce

Technology can block the majority of phishing attempts, but even with layered defenses, some threats will land in inboxes. It is important to ensure that employees are prepared and are taught how to identify Microsoft 365 phishing attempts. Do not underestimate the value of training. Training employees regularly will improve the resilience of your organization to phishing attempts. Training in small chunks regularly is much more likely to help you develop a security culture in your organization than providing a single training session once a year.

Conduct phishing simulations

Training should be augmented with Microsoft 365 phishing simulations – realistic phishing attacks conducted internally on the workforce. These simulations should not be conducted to catch employees out, rather they should be used as part of the training process to test whether the training has been effective. If any individual is fooled by a phishing simulation, it can be turned into a training opportunity, with intervention training provided in real-time to ensure it has the maximum effect.

Link copied to clipboard