Anatomy of a Phishing Attack: Stolen Microsoft 365 Credentials

by Daria Aleksandrova

Phishing attacks designed to steal Microsoft 365 credentials are launched every day and growing more sophisticated. We recently detected a massive attack that hid a fake Microsoft 365 login page in the incoming emails’ attachments.

Related:  Microsoft 365 Is Wildly Successful and Profoundly Vulnerable - Here’s Why

The attack

On Sunday, August 16, at 13:24 UTC, a huge phishing attack started, aiming to steal employee login credentials from one of Cyren Inbox Security’s biggest customers.

For 5 hours straight, 579 phishing emails bypassed all of the customer’s existing filtering capabilities (including Microsoft 365 and SEGs) and arrived at the employees’ inboxes.  (Luckily all of the mails were successfully flagged as phishing by Cyren Inbox Security right at the moment of emails’ arrival to the mailboxes.)

The emails were sent “from the organization’s IT Support team” with the subject, “Increase Storage Data.”  It urged employees to increase their mailbox storage, otherwise they “.. will soon stop from sending and receiving mails.”

Needless to say, all the emails were sent from a risky email address that had nothing to do with the company’s IT team.

The phishing link itself was well hidden in the email’s attachment. Once the attachment was opened, the fake “Microsoft 365 Login” page appeared and asked the potential victim to enter their account credentials to “add more storage to the mailbox.”

Also sophisticated?  Each phishing URL targeted a particular individual inside the company:  the body text of each email was personalized to specifically address the exact employee.

Detected and Protected by Cyren Inbox Security

Being neatly concealed in the attachment, this elusive spear-phishing attack was invisible to the Secure Email Gateway.

However, this company uses Cyren Inbox Security.  The incoming emails were scanned and Cyren Inbox Security automatically suspected the fake Microsoft 365 login landing page and detonated the distrustful URL.  As a result, every copy of the email was removed from the mailbox and no employees were successfully phished.

Learn more about Cyren Inbox Security

Cyren Inbox Security was built to safeguard each and every Microsoft 365 mailbox in your organization. It is a continuous and automated layer of security right in the user mailbox:

  • Persistently rescans inbound, outbound and delivered emails in all folders
  • Reduces investigative overhead with automated incident and case management workflows
  • A seamless mailbox plugin lets users scan and report suspicious emails

Our threat visibility is unsurpassed. Cyren’s global security cloud processes 25 billion email and web security transactions every day; identifies 9 new threats and blocks over 3,000 known threats each second.

Ready to play with Cyren Inbox Security for Microsoft 365? Start a 30-day trial, no credit card needed

Go back