Already a Step Ahead, Attackers Have Started to Spoof New Microsoft 365 Sign-in Pages

Lately, Microsoft discovered that attackers have already revamped their phishing campaigns to leverage the newly updated model for Azure AD and Microsoft 365 sign-in pages.

What’s cooking?

  • The data generated by Microsoft Office 365 Advanced Threat Protection (ATP) shows that hackers have started to spoof the new Azure AD sign-in page in several phishing campaigns.
  • Microsoft updated the new Azure AD sign-in page for its customers about three months ago, and its release started from the first week of April.
  • While the change was made to reduce the bandwidth requirements of the already existing Azure AD sign-in pages.
  • Due to this, the potential victims easily found out when they were targeted because the attackers forgot to update their phishing tools.

What attackers are up to?

  • As per the Microsoft discovery, threat actors are quickly adapting to changes made to resources to successfully perform attacks.
  • Adapting to changes quickly allows hackers to trick their targets into opening malicious attachments and giving out sensitive data on phishing landing pages that copy the current designs of services they’re mimicking.
  • Recently, one of the phishing campaigns is sending emails with the subject line - 'Business Document Received' and spiteful PDF attachments, which requires the potential victims to sign-in for viewing.
  • If the recipients click on the 'Access Document' option displayed on the malicious PDF disguised as an OneDrive shared file, they will be landed on a phishing page that mimics the new design of Azure AD and Microsoft 365 sign-in page.

Microsoft customers in the limelight

  • In addition to Azure AD and Microsoft 365, threat actors are using several other Microsoft products as lures in recent attacks.
  • Earlier this month, a series of phishing attacks used cloned imagery from automated Microsoft Teams notifications to steal Office 365 credentials.
  • In April, Microsoft’s Sway service was impersonated in a spearphishing campaign, dubbed PerSwaysion, to trick recipients into sharing their Office 365 credentials with several threat actors.