A KnowBe4 Risk Lab Publication
Authors: By James Dyer, Risk Intelligence Lead at KnowBe4 and Lucy Gee, Cybersecurity Risk Researcher at KnowBe4
On March 3, 2025, the KnowBe4 Risk Labs staff noticed an enormous inflow of phishing assaults originating from respectable Microsoft domains.
KnowBe4 Defend detected exercise beginning on February twenty fourth, with a peak on March third, when 7,000 assaults from microsoft-noreply@microsoft.com have been recorded inside a 30-minute window.
To hold out this assault, menace actors arrange mail routing guidelines that robotically forwarded respectable Microsoft invoices to recipients, utilizing refined strategies to incorporate their payload while sustaining authentication integrity (together with passing DMARC).
This spike comes amid an increase within the exploitation of trusted platforms like DocuSign, PayPal, Google Drive, and Salesforce for phishing emails. Notably, by leveraging Microsoft, cybercriminals are growing the deliverability and legitimacy of their assaults, making detection and prevention more difficult for each customers and safety programs.
Whereas we noticed a surge of those assaults inside a 30-minute window, this was doubtless because of a delay in Microsoft processing the excessive quantity of emails. Nevertheless, the assault doubtless continued for hours on today, affecting 1000’s of people outdoors our buyer base.
Fast Assault Abstract:
All assaults analyzed on this marketing campaign have been recognized and neutralized by KnowBe4 Defend and analyzed by our Risk Labs staff.
Vector and Kind: Electronic mail phishing
Strategies: Social engineering and legit model hijacking
Targets: World Microsoft Clients
On this assault, cybercriminals hijacked a respectable Microsoft bill and used mail circulation guidelines to auto-forward it to 1000’s of recipients. By organising their very own Microsoft area, the attackers ensured the emails handed authentication protocols. They then embedded a faux group title as their very own, which appeared within the physique of the e-mail, to socially engineer the sufferer to name the quantity current in that ‘title’. Apart from this the assaults had no different payload and all hyperlinks current are respectable.
Assault Instance:
Under is an instance of an assault detected as a part of this marketing campaign, despatched from microsoft-noreply@microsoft.com. As the e-mail has been despatched from a respectable Microsoft area, the assault has handed commonplace authentication checks comparable to SPF, DKIM and DMARC, relied upon by conventional safety applied sciences comparable to Microsoft365 and safe electronic mail gateways (SEGs).
Screenshot of a phishing assault leveraging Microsoft’s respectable area with KnowBe4 Defend anti-phishing banners utilized
Taking a deeper look into the physique of the assault, it particulars a subscription buy bill, the place the attacker has genuinely bought a Microsoft product (Defender for Workplace 365), full with an order quantity and variety of licenses. This a part of the e-mail is totally respectable and all hyperlinks direct recipients to Microsoft.com.
The malicious content material of the e-mail is situated underneath “Account Data.” The “account title” is definitely the malicious payload. The e-mail claims {that a} subscription has been efficiently bought, itemizing a greenback quantity of $689.89 USD. This worth is notably excessive contemplating the variety of licenses supposedly bought, which is more likely to immediate recipients to query the order and name the offered quantity for a refund if they didn’t authorize the transaction.
It’s value noting that usually Microsoft doesn’t supply cellphone assist as a contact methodology offered by electronic mail. As a substitute, they direct customers to an internet chat for help and clearly state on their web site that if additional escalation is required, they’ll request the consumer’s cellphone quantity and provoke the decision themselves.
If the recipient calls the cellphone quantity, our staff suspects the cybercriminal would impersonate a Microsoft assist consultant and try to steal delicate info comparable to financial institution particulars or credentials. Alternatively, they may use the decision to trace energetic electronic mail addresses and cellphone numbers. This additionally gives the chance to shift the assault from a safer work system to a much less protected cellular system.
How Have Attackers Hijacked Microsoft?
Our Risk Labs staff has investigated how the attacker has executed this refined assault that exploits Microsoft’s infrastructure to efficiently ship phishing emails.
Firstly, the attacker has created a respectable tenancy on Microsoft. Throughout setup, Microsoft permits customers to outline their group’s title. On this case, they’ve named their group “Your subscription has been efficiently bought for 689.89 USD utilizing your checking account. If you happen to didn’t authorize this transaction, please name [phone number] to request a refund.”
This ensures the socially engineered payload is embedded in all outgoing emails with out the attacker needing to change the content material throughout transit, which might break authentication. In consequence, the assault bypasses conventional options that depend on intact authentication protocols (that guarantee the e-mail has not been tampered with mid-transit and originates from a respectable sender).
Subsequent the attacker has arrange mailflow guidelines on their area to robotically ahead emails obtained by Microsoft to a listing of customers.
Our Risk Labs staff discovered that Microsoft permits as much as 300 mailflow guidelines with a corporation’s tenancy, with every rule able to forwarding to over 1,000 recipients. That is the place the attacker populates its victims electronic mail addresses.
The attacker then bought 10 Microsoft Defender for Workplace 365 (Plan 2) College. This triggers a respectable affirmation electronic mail from Microsoft, which is immediately forwarded to all recipients specified within the mailflow guidelines.
Mitigating Superior Threats with Human Threat Administration
The mix of strategies on this assault—hijacking a respectable area with out breaking authentication, altering mail circulation guidelines to ship mass assaults, and utilizing social engineering to maneuver the assault from work gadgets to cellular—demonstrates a particularly refined method. This highlights the lengths to which cybercriminals are prepared to go to realize their aims.
To successfully fight these threats, it is essential to pair well timed consumer training and training with clever anti-phishing options. Whereas educating customers on the hazards of phishing and tips on how to spot suspicious messages is crucial, superior technological defenses, comparable to machine studying and AI-powered detection, play a important function in figuring out and neutralizing these threats. Collectively, these methods kind a complete protection that may higher defend people and organizations from refined phishing assaults.
How Defend Detected the Assault
onmicrosoft.com Area: When organizations register for Microsoft 365 providers, Microsoft assigns them a default area within the format “organization-name.onmicrosoft.com.” This area is principally used for inside administration of providers and consumer accounts throughout the Microsoft 365 atmosphere.
On this assault, the malicious emails have been despatched to a particular deal with (e.g., our-company@) focusing on a number of Microsoft tenancies. Nevertheless, as a substitute of utilizing the group’s public area, the “to” addresses ended with “.onmicrosoft.com.” This mismatch is a key information level that Defend can establish and flag.
Mismatch of “To” Tackle vs. RSec Tackle: The “to” deal with in these emails might be a shared mailbox, whereas the recipient (“R-to”) might be a listing of each particular person inside that shared mailbox. This might additionally apply to distribution lists or basic addresses like all@firm.com. Defend was capable of detect the discrepancy between these addresses and spotlight it as malicious.
Discrepancy Between “To” Tackle and Area within the Physique: The “to” deal with was inconsistent with the area quoted within the electronic mail physique.
Linguistic Anomaly
The request for the shopper to name a quantity was atypical for Microsoft communications, elevating a crimson flag. This uncommon language was one other indicator that the e-mail was malicious.