M365 Phishing attempts are becoming more sophisticated

We have recently a step up in the sophistication of phishing attacks, aimed at harvesting M365 login credentials.

The video was recorded following a phishing attempt. The user was sent a link, which they clicked and were then presented with the M365 sign-in page. It looked genuine to the user, and it even validates MFA by sending a code to the user's phone.

The attacker is using a man-in-the-middle attack, where the user is tricked into entering their email address and password. This is then harvested, and the attacker uses the credentials to sign into M365 in the background. This stimulates the sending of the MFA code, which the user then believes is the legitimate request from their login attempt. They enter the MFA code, again used by the attacker in the background. This results in the attacker having full access to the users' M365 account to do as they wish.

There are several giveaways in the presentation, but ultimately the obvious giveaway is the URL in the browser address bar. This should point to login.microsoftonline .com and show the secure padlock.

This is a worrying but not unexpected escalation in phishing attacks, which are now designed to circumvent MFA.

There are several options available for user phishing training, such as Sophos Phish Threat and M365 Defender Plan 2. But ultimately, these attacks attempt to exploit users’ complacency. As long as they remain vigilant, they need never succeed.