Phishers bypass Microsoft 365 security controls by spoofing

A domain spoofing email phishing campaign that very convincingly impersonates Microsoft and successfully tricks legacy secure email gateways has recently been spotted by Ironscales.

It also led them to discover that Microsoft servers are not currently enforcing the DMARC protocol. “This is especially perplexing when considering Microsoft frequently ranks as a top 5 most spoofed brand year after year,” said Lomy Ovadia, the company’s VP of research and development.

The phishing campaign

The phishing emails in question look like this:

The attackers:

  • Spoofed the sender’s domain to make it look like the email comes from Microsoft
  • Used a relatively new Microsoft 365 capability (to review quarantined messages) as a pretext to trick users into following the offered link
  • Attempted to create a sense of urgency

The link takes users to a fake login page that “asks” for Microsoft 365 login credentials. Needless to say, users who enter them are effectively handing them over to the phishers.

“What’s interesting about this campaign is that exact domain spoofs aren’t incredibly sophisticated attacks for gateway controls to detect,” Ovadia noted.

“The reason why SEGs [secure email gateways] can traditionally stop exact domain spoofing is because, when configured correctly, this control is compliant with Domain-based Message Authentication, Reporting and Conformance (DMARC).”

DMARC is an email authentication protocol designed to help email domain owners protect their domain from unauthorised use.

“Any other email service that respects and enforces DMARC would have blocked such emails. It remains unknown as to why Microsoft is allowing a spoof of their very own domain against their own email infrastructure,” Ovadia concluded.

The phishing campaign has been aimed at Microsoft 365 enterprise users within various verticals (finsec, healthcare, insurance, manufacturing, utilities, telecom, etc.).