<— Back

Spoofing Microsoft M365 service to send phishing emails that will bypass email security protections

Using Microsoft M365 service, we can send a spear phishing email to the targeted users by bypassing email security protections, In this case, I demonstrated with Microsoft Safelinks, The key part is,

• The attacker doesn’t need to host the payload elsewhere
• Don’t need to create a domain
• Don’t need to compromise other websites
• Don’t need to compromise high reputation websites
• All the requirements can be obtained from the Microsoft M365 service to send a phishing payload.
• The context I meant is not the end payload (SharePoint link), From the starting email delivery itself from the Microsoft M365 service.

History:

• I found this technique and reported it to Microsoft in October 2019, but Microsoft rejected it as a non-security issue.
• But from Mid-year 2020 after the Covid starts, WFH is the normal working pattern and we have observed lots of successful Spear phishing campaigns started using Microsoft SharePoint as an end payload for credential harvesting or asking the victim to download the malware and so on
• Later by August 2021, we observed a huge trend related to this attack and recorded by most of the security vendors blog

What differs from the current attack trend?

So, I have decided to revisit, and I found the issue exists till now

• The main context I meant is not the end payload (SharePoint link) like what other adversaries are doing, my finding starts from the email delivery itself via the Microsoft M365 service.
• I can create a free M365 typo squatting domain that matches the target organization and starts delivering the phishing email
• The Important problem is, that this will bypass most of the Email-Security products
• Threat groups like TA505 can use this method successfully if they came to know of this technique because by default it will bypass the Email-Security products