Introduction
As email security defenses, including Secure Email Gateways (SEGs) and advanced threat protection mechanisms, become more sophisticated, adversaries continuously refine their evasion techniques to bypass the most robust detection mechanism. Our latest research uncovered a highly sophisticated phishing campaign that exploits Microsoft 365’s trusted infrastructure to potentially facilitate credential harvesting and account takeover (ATO) attempts.
By leveraging legitimate Microsoft domains and tenant misconfigurations, attackers conduct Business Email Compromise (BEC) operations, tricking users to provide information while maintaining a high degree of legitimacy. This technique effectively bypasses traditional email security controls by exploiting inherent trust mechanisms.
This analysis provides a technical breakdown of the attack chain, detailing how threat actors manipulate Microsoft 365 tenant properties, abuse tenant architectures, and leverage organizational profile spoofing to embed phishing payloads directly within enterprise environments. Additionally, it provides recommendations to detect and prevent this kind of attack.
Attack Overview
This attack exploits legitimate Microsoft services to create a trusted delivery mechanism for phishing content, making it difficult for both technical controls and human recipients to detect. Unlike traditional phishing, which relies on lookalike domains or email spoofing, this method operates entirely within Microsoft’s ecosystem, bypassing security measures and user skepticism by leveraging native M365 infrastructure to deliver phishing lures that appear authentic and blend in seamlessly.
By leveraging Microsoft’s trusted service-generated emails, this technique evades traditional detection methods, including domain reputation analysis, DMARC enforcement, and anti-spoofing mechanisms. The result is a highly deceptive attack that exploits inherent trust in Microsoft’s cloud services, making it significantly more challenging for security teams to detect and mitigate.
Attack Flow Summary
The following diagram illustrates the complete attack chain:
Attack Flow
Phase 1: Infrastructure Acquisition
Threat Actor Establishes Control of Multiple Microsoft Organization Tenants
Adversaries establish control over multiple Microsoft 365 organization tenants, either by registering new tenants or compromising existing ones. Each tenant plays a strategic role in the attack chain, allowing the threat actor to evade detection and manipulate trust mechanisms within the Microsoft 365 infrastructure.
Primary attack organizations:
Tenant A – Facilitates fraudulent activities such as unauthorized purchases, triggering billing events, and generating transaction records that appear legitimate.
Tenant B – Used for brand impersonation, leveraging Microsoft’s built-in display name fields, logos, and organizational metadata to enhance credibility and deceive recipients.
Tenant C – Functions as a covert relay point, utilizing mail forwarding and transport rule abuse to reroute phishing emails, ensuring delivery while bypassing security controls.
By distributing attack functionalities across multiple tenants, the threat actor minimizes risk, obfuscates attribution, and ensures the resilience of the phishing infrastructure within Microsoft’s trusted environment.
Phase 2: Technical Configuration
Setup of Administrative Accounts and Forward Rules
Once the control over Microsoft 365 tenants is established, the attacker create administrative accounts using the default “*.onmicrosoft.com” domain.
The key tactics include the following steps:
- Admin Account Creation – Attackers generate privileged accounts under the “*.onmicrosoft.com”, reducing visibility within standard monitoring tools that focus on corporate domains.
- Mail Forwarding Abuse – The threat actors configure transport rules and leverage built-in Microsoft 365 forwarding mechanisms (such as SMTP forwarding, Inbox rules, and Transport Rules) to redirect subscription confirmation emails, service alerts, and authentication-related messages to victims.
- Evasion – By using a legitimate email forwarding feature within Microsoft 365, the attack circumvents traditional anti-phishing protections, allowing fraudulent messages to blend seamlessly into trusted email flows.
This technique exploits inherent functionalities within Microsoft’s email infrastructure, making it difficult for security teams to detect malicious activity from normal administrative operations.
Phase 3: Deception Preparation
Manipulation of Tenant Display Information for Social Engineering
To enhance the credibility of their phishing campaign, the attacker configures the second tenant’s organization name with a misleading full-text message that mimics a legitimate Microsoft transaction notification. This tactic exploits Microsoft 365’s built-in tenant display name feature, which is reflected in various service-generated emails and interfaces.
One of the examples of the deceptive organization name (tenant) is:
“(Microsoft Corporation) Your subscription has been successfully purchased for 689.89 USD using your checking account. If you did not authorize this transaction, please call 1(888) 651-4716 to request a refund.”
By exploiting Microsoft’s Display Name Field (Branding and Account Information) – The attacker weaponizes the tenant’s organization name field to inject a phishing lure directly into the email. Instead of embedding malicious links, the message instructs victims to call a fraudulent support number, leading to a social engineering attack designed to lure the victim to install a stealer (malware) / steal financial information or credentials.
Why does this attack work?
- Bypasses URL security mechanism – Since the phishing lure is embedded in the display name, traditional email security tools do not flag it as suspicious.
- Leverages Microsoft’s 365 Trusted Infrastructure – The email appears to originate from a legitimate onmicrosoft.com domain, reducing recipient skepticism.
- Human exploitation – In some cases, the urgent financial threats increase the likelihood of user interaction, making victims more susceptible to social engineering.
Phase 4: Attack Execution
To maximize legitimacy and evade detection, the attacker initiates a purchase or trial subscription event within the first tenant. This action generates an authentic Microsoft-signed billing email, leveraging Microsoft’s infrastructure to deliver phishing content that appears completely legitimate. The attacker manipulates the organization display name in a second tenant, ensuring that the fraudulent message is embedded within a trusted communication channel.
Attack Process
- Initiate the Transaction – The attacker triggers a subscription or purchase event within Tenant A, prompting Microsoft’s billing system to issue a confirmation email.
- Microsoft 365 Signed Email – Since the transaction occurs within a legitimate Microsoft environment, the resulting email is signed and aligned with SPF, DKIM, and DMARC policies, ensuring it is not flagged as suspicious.
- Embedding Phishing Content in the Display Name – The email dynamically incorporates organizational information from Tenant B, which has been configured with a misleading full-text phishing lure. This could include a fabricated charge notification and a callback number for the victim to dispute the transaction.
- Delivery to the Target – The victim receives a legitimate Microsoft-generated email that appears to confirm a purchase, but the embedded message directs them to call a fraudulent support number. Because the email is sent directly from Microsoft’s infrastructure, it bypasses traditional phishing detection mechanisms.
Phase 5: Technical Legitimization
Legitimate Email Through Microsoft
By leveraging Microsoft’s legitimate email infrastructure, the attacker ensures that the phishing email passes through Microsoft’s servers without raising security alerts. Because the email originates from a trusted source, it is far more likely to reach the victim’s inbox without being flagged by security tools.
Phase 6: Victim Engagement
Phishing Hook: Fraudulent Contact Details
Microsoft’s Billing Emails contain the organization name – in that case: fake support contact numbers, urging immediate victim interaction. This direct communication significantly enhances phishing effectiveness beyond traditional email-based methods.
Attack Impact
This attack method is particularly effective because:
- It bypasses traditional email security controls by using legitimate Microsoft infrastructure
- It generates emails with valid authentication markers (SPF, DKIM, DMARC)
- It creates urgency by appearing to be related to unauthorized financial transactions
- It moves the attack to a voice channel where fewer security controls exist
Technical Analysis
Tenant Creation and Configuration
The attack begins with the creation of a legitimate Microsoft 365 tenant. The attacker registered a tenant with the domain *.onmicrosoft.com. The critical element of this attack involves the organization’s profile information, which the attacker populated with the following:
“(Microsoft Corporation) .Your subscription has been successfully purchased for 689.89 USD using your checking account. If you did not authorize this transaction, please call 1(888) 651-9337 to request a refund.”
This text appears in the “Organization name” field and is automatically included in various communications from the tenant, effectively embedding the scam message into a legitimate microsoft subscription email body content
Email Delivery Mechanism
The attack delivered a seemingly legitimate Microsoft subscription confirmation email with the following characteristics:
- Authentic Sending Domain: The email was sent from [email protected]
- Valid Authentication: The email passed DKIM, SPF, and DMARC checks
- Legitimate Mail Infrastructure: The message traversed Microsoft’s actual mail servers
- Convincing UI Elements: The email contains Microsoft logos, formatting, and design elements
Header Analysis
Examining the email headers reveals how the attacker leveraged Microsoft’s infrastructure:
These headers show that the email originated from Microsoft’s own systems rather than being spoofed. The “To” field reveals an interesting aspect of this attack – the email was not directly addressed to the victim but rather to an address within the attacker’s tenants created before.
Multiple “X-MS-Exchange-CrossTenant” headers in the full email indicate the message traversed Microsoft’s internal routing infrastructure:
Delivery Technique
While a typical phishing email would be sent directly to the victim, this attack employs a more sophisticated approach. Although the exact delivery mechanism remains partially obscured, the email appears to leverage Microsoft’s complex enterprise mail routing capabilities to reach the target inbox without showing obvious signs of forwarding or direct addressing.
The attacker likely utilized mail flow rules / other tenant-level configurations to route the email to the victim’s address while keeping the attacker as the Return-Path maintaining the appearance of legitimate internal Microsoft communication.
Social Engineering Elements
The email contained several compelling social engineering elements:
- Urgency trigger: Notification of an unauthorized purchase creates immediate concern
- Legitimate appearance: The content mimics authentic Microsoft communications
- Customer service scam: A phone number promises “refund” assistance
Multiple attack vectors: Both a phone number and email manipulation for victim engagement
Detection and Prevention
Guardz has identified, analyzed, and successfully disrupted this phishing campaign, implementing measures to safeguard our customers. Our email security system effectively mitigated the attack, while our security team informed affected customers and implemented enhanced detection mechanisms to prevent similar threats in the future.
This attack presents a crucial detection challenge due to its reliance on legitimate Microsoft infrastructure and trusted email authentication mechanisms. Traditional email security measures, such as SPF, DKIM, and DMARC, are ineffective because the phishing emails originate from a legitimate Microsoft domain.
The Guardz unified security platform gives a unique edge in combatting this type of threat. By combining detections across security controls, Guardz admins as well as our MDR and research teams are able to identify these modern attack techniques and prevent them from spreading.
This attack presents unique challenges for detection:
- Traditional email authentication (DKIM, SPF, DMARC) cannot detect it
- The sending domain is legitimately Microsoft.com
- Content filtering may miss the scam content in organization metadata
- The email passes through legitimate Microsoft infrastructure
To protect against this attack vector:
- Enhanced email analysis: Implement content inspection that analyzes organization fields and metadata; check return-path headers (e.g., suspicious paths like bounces+SRS=*@.onmicrosoft.com)
- User awareness: Train users with phishing awareness to recognize suspicious elements and think twice before phoning an unverified number.
- Phone verification: validate official support numbers rather than calling those in emails; reference Microsoft’s official directory: https://support.microsoft.com/en-us/topic/customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2
- Be aware of unknown .onmicrosoft.com domains: Be suspicious of communications from unfamiliar .onmicrosoft.com domains / newly created tenants.
Conclusion
This sophisticated attack demonstrates how threat actors continue to evolve their techniques by manipulating legitimate infrastructure in novel ways. By embedding malicious content within seemingly authentic organizational email and leveraging Microsoft’s trusted mail delivery systems, attackers have created a particularly convincing phishing vector.
As defenders, we must adapt our detection and response capabilities to address these evolving threats, focusing not just on traditional indicators of compromise but also on how legitimate systems can be manipulated for malicious purposes.
IOC Table
| Type | IOCs |
| Phone Number | 1(888) 225-0534 |
| Phone Number | 1(844) 715-0262 |
| Phone Number | 1(888) 929-1904 |
| Phone Number | 1(888) 671-4756 |
| Phone Number | 1(803) 274-2451 |
| Phone Number | 1(888) 653-5766 |
| Phone Number | 1(888) 651-4716 |
| Phone Number | 1(888) 651-9337 |
| Phone Number | 1(888) 651-6162 |
| Phone Number | 1(877) 290-3038 |
| Phone Number | 1(888) 503-8536 |
| Phone Number | 1(808) 808-5686 |
| Phone Number | 1(888) 929-4501 |
| Microsoft Tenant | institutemav.onmicrosoft.com |
| Microsoft Tenant | tjhsdgb.onmicrosoft.com |
| Microsoft Tenant | coras.onmicrosoft.com |
| Microsoft Tenant | SchillerandZboncakInc.onmicrosoft.com |
| Microsoft Tenant | DavenportMcconnell.onmicrosoft.com |
| Microsoft Tenant | HowardLtd520.onmicrosoft.com |
| Microsoft Tenant | ceipseveroochoa.onmicrosoft.com |
| Microsoft Tenant | BvbvUt.onmicrosoft.com |
| Microsoft Tenant | JacksonLyons.onmicrosoft.com |
| Microsoft Tenant | WhiteheadLopezandWeiss.onmicrosoft.com |
| Microsoft Tenant | WattsWhiteandTaylor.onmicrosoft.com |
| Microsoft Tenant | PetersenMiller178.onmicrosoft.com |
| Microsoft Tenant | WebsterHoover.onmicrosoft.com |
| Microsoft Tenant | PearsonArnoldandBaldwin.onmicrosoft.com |
- Share On:
Written by
Ron Lev is our Security Researcher at Guardz, focusing on uncovering and analyzing emerging cybersecurity threats. His experience includes safeguarding enterprise multi-cloud environments and independently developing advanced email security solutions through his entrepreneurial ventures. Ron’s research emphasizes actionable threat intelligence and developing security tools that empower small businesses to effectively defend against sophisticated, enterprise-level cyber-attacks.
