Threat actors are orchestrating highly targeted phishing campaigns that exploit Microsoft 365’s own trusted infrastructure to bypass traditional email security tools. Leveraging legitimate Exchange Online IPs and services like SharePoint, OneDrive, and Office 365-branded login portals, these campaigns are particularly effective at evading detection and deceiving end-users.
Key Tactics Observed Across Campaigns
Abuse of Microsoft IP Space
Attackers are sending phishing emails directly from compromised or attacker-owned Microsoft 365 tenants, making the emails appear legitimate to email security gateways and email filters. Since these emails originate from Microsoft’s IP ranges and pass SPF, DKIM, and DMARC, they’re often automatically trusted.
Use of Microsoft Services in Payload Delivery
Phishing emails frequently include links to:
- SharePoint-hosted documents with embedded phishing links
- OneDrive URLs leading to weaponized files or credential-harvesting sites
- Office 365 login pages that look pixel-perfect but harvest credentials
These links are hosted on Microsoft domains, which makes them especially hard to detect and block. URLs such as 1drv.ms, sharepoint.com, and *.onmicrosoft.com are widely seen in these campaigns.
Targeting and Credential Theft
The campaigns are increasingly targeting high-value users—like executives, financial officers, and IT administrators. Once credentials are harvested, attackers often:
- Pivot within the organization
- Launch internal phishing using trusted email threads
- Access sensitive data or set up OAuth apps for persistent access
Campaign Variants Identified
- “Fax” or “Voicemail” notifications leading to credential harvesting pages
- “Encrypted document” or “shared invoice” baits, hosted on SharePoint
- OAuth abuse where victims grant permissions to malicious apps that maintain access without re-authentication
Why This Works So Well
- Microsoft infrastructure is trusted by default in many organizations
- Authentication headers are valid (SPF, DKIM, DMARC all green)
- URL scanning often skips known-good domains
- Users are trained to trust Microsoft-branded emails
What Organizations Should Do
Harden Microsoft 365
- Enable Safe Links and Safe Attachments
- Use Mail Flow (Transport) Rules to flag external use of Microsoft domains
- Configure Defender for Office 365 with aggressive anti-phishing and impersonation policies
Educate End Users
- Provide real-world examples of SharePoint/OneDrive abuse
- Train users to treat “legitimate-looking” Microsoft prompts with caution
- Highlight red flags like unexpected MFA requests or login prompts after clicking shared files
Monitor for Suspicious OAuth Activity
- Review App registrations and third-party app consent
- Enable consent governance policies and block risky app behaviors
Leverage Threat Intelligence & Hunting
- Monitor Microsoft logs for anomalous login patterns
- Watch for emails with links to sharepoint.com, onmicrosoft.com, or 1drv.ms
- Utilize advanced hunting queries in Defender or Sentinel
These attacks demonstrate that relying solely on default trust settings is no longer a viable security strategy. Organizations must fundamentally shift their mindset, treating even familiar Microsoft services with a degree of skepticism. A proactive approach, combining technical controls with user awareness, is essential to effectively defend against these sophisticated and rapidly evolving phishing tactics.
