Spearphishing Attack Spoofs Microsoft.com to Target 200m Office 365 Users!

Spearphishing Attack Spoofs Microsoft.com to Target 200m Office 365 Users!

A spearphishing attack is spoofing Microsoft.com to target 200m Microsoft Office 365 users in a number of key vertical markets, including financial services, healthcare, manufacturing & utility providers.

It remains unknown as to why Microsoft is allowing a spoof of their very own domain against their own email infrastructure.


Researchers at Ironscales discovered the campaign targeting several 1,000 mailboxes at nearly 100 of the email security firm’s customers, Lomy Ovadia, Ironscales, VP of Research & Development, observed in a report posted online Mon. Other industries being targeted including telecom & insurance companies, he observed.

The attack is particularly deceiving because it uses an exact domain spoofing technique, “which occurs when an email is sent from a fraudulent domain that is an exact match to the spoofed brand’s domain,” Ovadia wrote. This means even savvy users who check sender addresses to ensure an email is legitimate might be fooled, he stated.

Office 365

The attack is comprised of a realistic-looking email that attempts to persuade users to take advantage of a relatively new Office 365 capability that allows for them to reclaim emails that have been accidentally marked as spam or phishing messages, according to the report. The messages come from sender “Microsoft Outlook.”

“Specifically, the fraudulent message is composed of urgent & somewhat fear-inducing language intended to convince users to click on what is a malicious link without hesitation,” Ovadia wrote.

“As inferred by the message, the link will redirect users to a security portal in which they can review & take action on ‘quarantined messages’ captured by the Exchange Online Protection (EOP) filtering stack, the new feature that has only been available since Sept.”

Login Credentials

Once a user clicks on the link, they are asked to type in legitimate Office 365 login credentials on a fake log-in page controlled by attackers to harvest and likely sell on the dark web, according to Ironscales.

An interesting aspect of the campaign is its success in bypassing secure email gateway (SEG) controls. Usually, exact domain spoofs aren’t difficult to detect, says Ironscales; the company found in previous research that this tactic was found in less than 1% of total spoofing attacks that bypass SEGs in any year.

Security Tools

“Even non cloud-native & legacy email security tools are fairly efficient at stopping these sorts of attacks,” Ovadia noted.

“The reason why SEGs can traditionally stop exact domain spoofing is because, when configured correctly, this control is compliant with the domain-based message authentication, reporting & conformance (DMARC), an email authentication protocol built specifically to stop exact domain spoofing (SPF/DKIM).”


However, Ironscales found that Microsoft servers are not currently enforcing the DMARC protocol, which means the exact domain spoofing messages get through controls such as Office 365 EOP and Advanced Threat Protection.

“Any other email service that respects & enforces DMARC would have blocked such emails,” Ovadia wrote. “It remains unknown as to why Microsoft is allowing a spoof of their very own domain against their own email infrastructure.”

Reject Emails

The situation is particularly strange as Microsoft is typically 1 of the top domain names if not the top domain imitated by hackers in phishing campaigns, he observed.

To mitigate attacks, Ironscales advised organisations to configure their email defence & protection systems for DMARC, which should detect & reject emails coming from the latest Office 365 campaign, according to the report.

“Advanced mailbox-level email security that continuously studies every employee’s inbox to detect anomalies based on both email data & metadata extracted from previously trusted communications can help stop email spoofs that slip through the cracks,” Ovadia added.