Attackers are conducting business email compromise (BEC) campaigns by exploiting the trusted infrastructure of Microsoft 365 to execute credential harvesting and account takeover (ATO).
Guardz explained on March 13 that unlike traditional phishing, which relies on lookalike domains or email spoofing, attackers operate entirely within Microsoft’s ecosystem, bypassing security measures by using phishing lures that appear authentic.
According to Guardz, because the phishing emails originate from a legitimate Microsoft domain, this lets attackers evade traditional detection methods, including domain reputation analysis, DMARC enforcement, and anti-spoofing mechanisms.
The researchers wrote that for brand impersonation, for example, once they compromise a tenant, the attackers leverage Microsoft’s built-in display name fields, logos, and organizational metadata to enhance credibility and deceive recipients.
“The result is a highly deceptive attack that exploits inherent trust in Microsoft’s cloud services, making it significantly more challenging for security teams to detect and mitigate,” wrote the researchers.
Stephen Kowski, Field CTO at SlashNext Email Security, said teams should enable advanced phishing protection that can detect tenant manipulation and organizational profile spoofing, while implementing real-time scanning that can identify and remediate threats even after delivery to inboxes.
“There shouldn’t be inherent trust in any cloud service, as this mindset creates dangerous security gaps that sophisticated attackers readily exploit,” said Kowski. “Organizations must adopt zero-trust principles when using Microsoft 365, implementing continuous verification and least privilege access even for seemingly legitimate communications from trusted domains.”
Evan Dornbush, a former NSA cybersecurity expert, pointed out that unfortunately, it's not a simple case of “we understand the problem, let's have the security professionals respond."
Dornbush said the Guardz report included steps security pros can use, such as specific string pattern matching and awareness of phone numbers observed to be used by scammers. However, the guidance for end-users for years has been to “check the sender domain, and don't click that link” — and that mantra no longer works, said Dornbush.
“These emails didn't have malicious links,” said Dornbush. “Rather, they invited recipients to call a number and speak directly with the fraudster. This is less about technical exploitation than it’s human social engineering — and its historically been very hard to educate, protect, and monitor humans from all forms of con games.”
Nicole Carignan, senior vice president, security and AI strategy, and Field CISO at Darktrace, added that despite increased focus on cybersecurity awareness training and email security, organizations and their employees continue to be plagued by successful phishing attempts, including BECs.
“As the sophistication of phishing attacks continues to grow, organizations cannot rely on employees to be the last line of defense against these attacks,” said Carignan. “Instead, organizations must use machine learning-powered tools that can understand how their employees interact with their inboxes and build a profile of what activity is normal for users, including their relationships, tone and sentiment, content, and when and how they follow or share links. Only then can they accurately recognize suspicious activity that may indicate an attack or BEC.”
