A newly discovered Sophisticated Phishing Attack has taken cyber threats to an advanced level by exploiting Microsoft 365’s legitimate infrastructure. Unlike traditional phishing attacks that rely on email spoofing or fake domains, this sophisticated method uses Microsoft’s trusted systems to bypass security measures and trick users into handing over their credentials.
This phishing campaign is particularly dangerous because it successfully passes email security checks, making detection difficult for both automated defenses and human recipients. It manipulates Microsoft’s billing notifications to create fraudulent messages, luring victims into account takeovers and financial fraud. Let’s dive deeper into how this attack works, the dangers it presents, and how users can protect themselves.
How This Sophisticated Phishing Attack Works
Traditional phishing attempts often rely on imitating well-known brands by creating fake websites or sending spoofed emails. However, in this case, attackers exploit Microsoft 365‘s built-in functionalities, making their phishing attempts appear completely legitimate.
This attack abuses Microsoft’s service-generated emails, which contain valid authentication markers such as:
- SPF (Sender Policy Framework) – Prevents email spoofing by ensuring the email comes from an authorized source.
- DKIM (DomainKeys Identified Mail) – Verifies the email’s authenticity by using cryptographic signatures.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) – Ensures alignment between SPF and DKIM to prevent email impersonation.
Since Microsoft’s email servers send these phishing emails, they easily pass through security filters and appear trustworthy to the recipient.
Exploiting Microsoft 365’s Tenant Properties
Security researchers at Guardz Security uncovered that attackers manipulated Microsoft 365 organization tenants to execute this campaign. They gain control over multiple tenants by either:
- Registering new Microsoft 365 tenants – Attackers create fake organizations from scratch.
- Compromising existing tenants – They take over legitimate Microsoft 365 accounts and repurpose them for phishing.
Each compromised or fake tenant serves a specific role in the attack chain. Some tenants are used for launching fraudulent activities, others impersonate legitimate brands, and some act as covert relay points to bypass security detection.
One of the most concerning aspects of this campaign is how attackers abuse Microsoft’s billing notification system. When a subscription-related event occurs, Microsoft automatically sends an email with the organization’s display name. Attackers manipulate this display name to include fraudulent content.
For example, a phishing email might contain a message like:
“(Microsoft Corporation). Your subscription has been successfully purchased for $689.89 using your checking account. If you did not authorize this transaction, please call 1(888) 651-4716 to request a refund.”
This message creates urgency and panic, prompting victims to call the provided phone number, which leads them to a voice-based scam.
The Sophisticated Phishing Attack Process Step-by-Step
This phishing campaign follows a structured process to deceive victims effectively:
- Creation of Administrative Accounts – The attackers first set up administrative accounts under domains ending in “.onmicrosoft.com”. This reduces visibility and makes it harder for security teams to detect malicious activities.
- Manipulation of Organization Name Fields – Instead of using a regular organization name, the attackers insert full phishing messages into the display name field.
- Triggering Legitimate Billing Notifications – When a Microsoft billing event occurs (e.g., a subscription renewal), the system automatically generates an email with the manipulated organization name.
- Delivery of Convincing Phishing Emails – Because these emails originate from Microsoft’s servers, they appear completely legitimate and pass all security authentication checks.
- Victims Are Tricked into Calling Fake Support Numbers – The email urges recipients to call a phone number, where scammers impersonate Microsoft support representatives. Victims are then deceived into revealing their credentials, bank details, or remote access to their devices.
Why Traditional Security Measures Fail
One of the most alarming aspects of this Sophisticated Phishing Attack is its ability to evade standard email security mechanisms. Since the phishing emails originate directly from Microsoft’s servers and use valid authentication signatures (SPF, DKIM, DMARC), they are extremely difficult to flag as malicious.
A sample email header from an attack might look like this:
From: Microsoft
Date: Mon, 24 Feb 2025 11:46:31 +0000
Subject: Microsoft subscription purchase confirmation
Message-ID:
Return-Path: [email protected]This header confirms that the email is coming from Microsoft’s infrastructure, making it nearly impossible for traditional security tools to classify it as phishing.
Moreover, because this attack relies on voice-based social engineering, rather than directing victims to a fake login page, it bypasses many cybersecurity defenses that detect phishing links.
How to Protect Yourself from This Sophisticated Phishing Attack
Since this phishing campaign is difficult to detect using conventional security measures, organizations and individuals must take proactive steps to protect themselves. Here’s what you can do:
1. Verify Microsoft Emails Before Taking Action
- Never assume an email is legitimate just because it appears to come from Microsoft.
- Cross-check billing notifications directly by logging into your Microsoft 365 account rather than clicking on links or calling phone numbers in the email.
2. Educate Employees and Users About Voice-Based Scams
- Many phishing attempts now rely on social engineering rather than malicious links.
- Train employees to recognize scams that encourage them to call fake support numbers.
3. Implement Multi-Factor Authentication (MFA)
- Even if credentials are compromised, MFA can prevent unauthorized access.
- Require employees to use Microsoft Authenticator or another trusted MFA tool.
4. Monitor Microsoft 365 Tenant Activity
- Regularly review tenant properties for unauthorized changes.
- Watch for newly created admin accounts or suspicious activity related to billing events.
5. Configure Email Security Solutions
- Advanced email filtering solutions can analyze email behavior beyond SPF, DKIM, and DMARC.
- Use AI-driven security tools that detect anomalies in email communication patterns.
6. Report Suspicious Microsoft Emails
- If you receive a suspicious Microsoft billing email, report it through Microsoft’s phishing reporting tools.
- Organizations should have an internal reporting system for employees to flag potential phishing attempts.
Conclusion
This newly discovered Sophisticated Phishing Attack represents a major evolution in cybercrime tactics. By leveraging Microsoft’s infrastructure, attackers have found a way to bypass traditional email security measures and make their phishing emails appear completely legitimate.
The reliance on social engineering and voice-based scams makes this attack especially dangerous, as it exploits human psychology rather than technical vulnerabilities.
To stay protected, individuals and organizations must adopt a multi-layered security approach, combining awareness training, MFA, proactive monitoring, and advanced email security tools. By staying informed and vigilant, you can reduce the risk of falling victim to these highly deceptive phishing attacks.
