A sophisticated phishing email targeting Office 365 users is in the wild

November 25, 2020
microsoft office 365 phishing email campaign

Microsoft has warned the public about a new phishing campaign targeting Office 365 users via their Twitter account on Tuesday, November 17th.


phishing email campaign Microsoft image 1



This newly discovered phishing email was seemingly a sophisticated one, as it was designed to bypass and dodge secure email gateways as per the Microsoft analysis. The Threat actors behind this attack use the Social Engineering technique and timely enticement techniques relevant to remote work set up, such as helpdesk tickets, password updates, projects communications, SharePoint, and conferencing information.

Redirector URLs are also being utilized by the Threat actors as upon detecting connections for sandboxes, it will redirect them to the legitimate sites to elude detections. In contrast, potential victims will be redirected to phishing websites. Sandbox is used by Analysts to detect these types of attacks.

This technique allows the Threat actors to be certain that the only targeted individuals will be directed to the phishing sites, thus significantly preventing their attack from being detected or blocked.  This phishing email also uses a highly obfuscated HTML Code to bypass secure email gateways and land the victim’s inboxes impeccably.

More so, aside from the previously mentioned characteristics, this new campaign can also generate a custom subdomain used in redirector sites for each target to make the URLs as convincing as possible in the eyes of their target victims. The subdomains are created using different formats but will always contain the target victim’s Username and their Organization’s domain name.

The phishing URL contains an extra dot (.) after the TLD, followed by the recipient’s Base64-encoded email address.


phishing email campaign Microsoft image 2

Phishing Subdomain pattern used in this phishing email attack


The target victim’s Office 365 credentials will only be harvested once they fall into the trap of clicking the password reset link shown on the email and entering the phishing page’s credentials. It must be said that the lures utilized in this campaign are believable as the technique used is almost flawless, and the phishing website where potential victims were being redirected is realistic and persuasive.

However, Microsoft reiterated that its Defender for Office 365 products could detect such phishing email threats and connect threat data across email, endpoints, entities, and apps. More so, they pointed out that Office 365 uses behavior-based detection techniques and machine learning to detect such kinds of sophisticated email threats.



About the author

Leave a Reply