Guardz, a cybersecurity company, has issued a warning to Microsoft 365 users regarding a new phishing scam that is employing social engineering tactics to deceive individuals. This scam is not your run-of-the-mill fraudulent scheme, as it lures people into calling fake support numbers by leveraging Microsoft 365 infrastructure, thereby jeopardizing their login credentials and accounts.
The modus operandi of this attack differs from typical phishing endeavors that utilize typosquatted domains or fake email addresses. Instead, this campaign operates within Microsoft’s cloud services, making the phishing attempts appear authentic and easily evading email authentication checks like SPF, DKIM, and DMARC.
Furthermore, the attackers exploit legitimate Microsoft domains, such as onmicrosoft.com, and manipulate tenant settings to execute their fraudulent activities. By establishing multiple Microsoft 365 organization tenants, either by creating new ones or compromising existing accounts, the scammers allocate specific roles within the attack framework, allowing them to operate anonymously.
One fake organization created by the scammers simulates normal business activities, such as initiating a subscription, to establish credibility. Meanwhile, another fake organization adopts a name that includes a fabricated warning message and a phone number, creating a sense of urgency. For instance, the organization’s name might display as “(Microsoft Corporation) Your subscription has been successfully purchased… If you did not authorize this transaction, please call.”
When the attackers trigger an action, such as altering a subscription, Microsoft 365 automatically dispatches legitimate emails regarding the change. Due to the setup of the fake organizations, these official Microsoft emails may contain the fake warning message and phone number in the sender’s information or organization details. Consequently, recipients may receive an email that appears to be from Microsoft, confirming a purchase they did not authorize. While the email itself is authentic in origin, the alarming message prompting individuals to call a number to dispute the charge is part of the scam. If someone calls the number, they are connected with the attackers who endeavor to pilfer sensitive information like passwords or coerce them into installing malicious software.
The effectiveness of this scam lies in its use of Microsoft’s legitimate systems, which often elude standard security checks for counterfeit domains or suspicious links. The emails exude authenticity, complete with Microsoft branding, and the urgent nature of the unauthorized charge notification can prompt hurried action without due consideration.
According to Guardz’s report furnished to Hackread.com prior to its publication, this attack is challenging to detect because it exploits legitimate services for malevolent purposes. Conventional email security measures that scrutinize sender reputations or scrutinize fake links might not detect this intricate scheme.
The repercussions of falling victim to this phishing campaign can be severe, encompassing credential theft, financial losses, account takeovers, or malware infiltration into systems. The reliance on voice channels within the attack makes it more arduous to detect and counteract, as fewer security safeguards exist in direct phone communications.
To safeguard against such scams, individuals and businesses should exercise caution when receiving unexpected emails regarding purchases or subscriptions, even if they seem to originate from Microsoft. It is crucial not to call phone numbers provided in emails if something seems amiss and always verify contact details on Microsoft’s official website. Additionally, paying close attention to sender details, being wary of unusual organization names, or urgent language can serve as red flags. Moreover, exercising vigilance with messages from unfamiliar “.onmicrosoft.com” domains is imperative. Most importantly, individuals should educate themselves and their employees on recognizing phishing tactics, especially those engineered to instigate a sense of urgency regarding financial threats.
In conclusion, the emergence of this sophisticated phishing campaign underscores the evolving and elaborate nature of cyber threats, emphasizing the necessity for constant vigilance and proactive security measures to thwart malicious actors’ attempts to exploit vulnerable individuals and organizations.