<— Back

Spoofing Microsoft M365 service to send phishing emails that will bypass email security protections

Using Microsoft M365 service, we can send a spear phishing email to the targeted users by bypassing email security protections, In this case, I demonstrated with Microsoft Safelinks, The key part is,

  • The attacker doesn’t need to host the payload elsewhere
  • Don’t need to create a domain
  • Don’t need to compromise other websites
  • Don’t need to compromise high reputation websites
  • All the requirements can be obtained from the Microsoft M365 service to send a phishing payload.
  • The context I meant is not the end payload (SharePoint link), From the starting email delivery itself from the Microsoft M365 service.

History:

  • I found this technique and reported it to Microsoft in October 2019, but Microsoft rejected it as a non-security issue.
  • But from Mid-year 2020 after the Covid starts, WFH is the normal working pattern and we have observed lots of successful Spear phishing campaigns started using Microsoft SharePoint as an end payload for credential harvesting or asking the victim to download the malware and so on
  • Later by August 2021, we observed a huge trend related to this attack and recorded by most of the security vendors blog

What differs from the current attack trend?

So, I have decided to revisit, and I found the issue exists till now

  • The main context I meant is not the end payload (SharePoint link) like what other adversaries are doing, my finding starts from the email delivery itself via the Microsoft M365 service.
  • I can create a free M365 typo squatting domain that matches the target organization and starts delivering the phishing email
  • The Important problem is, that this will bypass most of the Email-Security products
  • Threat groups like TA505 can use this method successfully if they came to know of this technique because by default it will bypass the Email-Security products

Reegun Richard Jayapaul

Reegun Richard is Senior Threat Architect @ SpiderLabs, Trustwave’s threat research/hunting team; having 11 years of experience in Security Research, Malware analysis, Reverse Engineering, Threat Hunting, Incident Response, Security trainer; he has been working on clients with different sectors and doing threat hunting on multiple technologies and environments.

He is also doing offensive security on finding new vulnerabilities and reporting to vendors, improving the quality of deliverables from his research, simulating, and researching new attacks to build better detection, and the Main contributor to GoldenSpy and GoldenHelper analysis and findings, actively enhancing defensive skills from simulating offensive methodologies.

Previously worked in the financial sector and did Incident Response, Malware Analysis, and purple teaming; he worked in Symantec’s elite threat research team ‘MATI’ and uncovered APT attacks related to PRC and DPRK threats, holding industry-standard certifications including Sans GREM, GCIA, OSCP