At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Surge in Phishing Attacks Hijacking Legitimate Microsoft Communications

    On March 3, 2025, the KnowBe4 Threat Labs team observed a massive influx of phishing attacks originating from legitimate Microsoft domains.

    KnowBe4 Defend detected activity starting on February 24th, with a peak on March 3rd, when 7,000 attacks from microsoft-noreply@microsoft.com were recorded within a 30-minute window.

    To carry out this attack, threat actors set up mail routing rules that automatically forwarded legitimate Microsoft invoices to recipients, using sophisticated techniques to include their payload whilst maintaining authentication integrity (including passing DMARC).

    This spike comes amid a rise in the exploitation of trusted platforms like DocuSign, PayPal, Google Drive, and Salesforce for phishing emails. Notably, by leveraging Microsoft, cybercriminals are increasing the deliverability and legitimacy of their attacks, making detection and prevention more challenging for both users and security systems.

    While we observed a surge of these attacks within a 30-minute window, this was likely due to a delay in Microsoft processing the high volume of emails. However, the attack likely continued for hours on this day, affecting thousands of individuals outside our customer base. 

    Quick Attack Summary: 
    All attacks analyzed in this campaign were identified and neutralized by KnowBe4 Defend and analyzed by our Threat Labs team. 

    Vector and Type: Email phishing
    Techniques: Social engineering and legitimate brand hijacking
    Targets: Global Microsoft Customers

    In this attack, cybercriminals hijacked a legitimate Microsoft invoice and used mail flow rules to auto-forward it to thousands of recipients. By setting up their own Microsoft domain, the attackers ensured the emails passed authentication protocols. They then embedded a fake organization name as their own, which appeared in the body of the email, to socially engineer the victim to call the number present in that ‘name’. Other than this the attacks had no other payload and all links present are legitimate. 

    Attack Example: 
    Below is an example of an attack detected as part of this campaign, sent from microsoft-noreply@microsoft.com. As the email has been sent from a legitimate Microsoft domain, the attack has passed standard authentication checks such as SPF, DKIM and DMARC, relied upon by traditional security technologies such as Microsoft365 and secure email gateways (SEGs).  

    Screenshot of a phishing attack leveraging Microsoft’s legitimate domain with KnowBe4 Defend anti-phishing banners applied

    Taking a deeper look into the body of the attack, it details a subscription purchase invoice, where the attacker has genuinely purchased a Microsoft product (Defender for Office 365), complete with an order number and number of licenses. This part of the email is entirely legitimate and all links direct recipients to Microsoft.com. 

    The malicious content of the email is located under “Account Information.” The “account name” is actually the malicious payload. The email claims that a subscription has been successfully purchased, listing a dollar amount of $689.89 USD. This price is notably high considering the number of licenses supposedly purchased, which is likely to prompt recipients to question the order and call the provided number for a refund if they did not authorize the transaction. 

    It is worth noting that normally Microsoft does not offer phone support as a contact method provided by email. Instead, they direct users to an online chat for assistance and clearly state on their website that if further escalation is needed, they will request the user’s phone number and initiate the call themselves.

    If the recipient calls the phone number, our team suspects the cybercriminal would impersonate a Microsoft support representative and attempt to steal sensitive information such as bank details or credentials. Alternatively, they could use the call to track active email addresses and phone numbers. This also provides the opportunity to shift the attack from a more secure work device to a less protected mobile device.Mitigating Advanced Threats with Human Risk Management 

    The combination of techniques in this attack—hijacking a legitimate domain without breaking authentication, altering mail flow rules to send mass attacks, and using social engineering to move the attack from work devices to mobile—demonstrates an extremely sophisticated approach. This highlights the lengths to which cybercriminals are willing to go to achieve their objectives. 

    To effectively combat these threats, it’s crucial to pair timely user education and coaching with intelligent anti-phishing solutions. While educating users on the dangers of phishing and how to spot suspicious messages is essential, advanced technological defenses, such as machine learning and AI-powered detection, play a critical role in identifying and neutralizing these threats. Together, these strategies form 

    Go Phishing Now!
    Go Phishing Now!

    Sign Up to the TIO Intel Alerts!

    Back To Top