{"id":16122,"date":"2024-10-28T09:49:05","date_gmt":"2024-10-28T13:49:05","guid":{"rendered":"https:\/\/gtm.com\/business\/?p=16122"},"modified":"2024-10-28T09:49:05","modified_gmt":"2024-10-28T13:49:05","slug":"microsoft-domains-phishing-attacks","status":"publish","type":"post","link":"https:\/\/gtm.com\/business\/microsoft-domains-phishing-attacks\/","title":{"rendered":"Beware of Microsoft Domains in Phishing Attacks"},"content":{"rendered":"

\"microsoft<\/em><\/p>\n

Our HCM partner, isolved<\/a>, recently published a case study involving a phishing attack using Microsoft domain names. Employers and employees should be aware of using Microsoft domains in these cyber threats and follow the advice below to prevent an attack on your company’s data.<\/em><\/p>\n

This month, isolved\u2019s Cybersecurity team is highlighting the uptick in the malicious use of Microsoft domains. These phishing attacks are difficult to detect because they appear to come from Microsoft. We will discuss a real case that appeared at isolved and intelligence from our Managed Security Service Provider (MSSP) involving \u201cattacker-in-the-middle\u201d techniques to capture credentials.<\/p>\n

Real Case: Your Microsoft Order On\u2026<\/h2>\n

On a steamy September morning, Fred (name disguised) contacted a member of isolved\u2019s cybersecurity team to report an unusual Microsoft email. He did not order any Microsoft products and questioned receiving such a notification.<\/p>\n

The email appears to be from the legitimate microsoft.com email (microsoft-noreply@microsoft.com). This is just the displayed address or the \u201cheader\u201d address. The actual \u201cenvelope\u201d address was from vt@dur*****shop.onmicrosoft.com (disguised bad actor\u2019s address). Anyone, including hackers, can use these onmicrosoft.com emails. They often make it through email security systems because they are legitimate Microsoft email addresses.<\/p>\n

Fred also noticed a few important points in the body of the phishing email:<\/p>\n

    \n
  1. He never ordered Global Microsoft 365 Business Premium and immediately suspected the email to be fake.<\/li>\n
  2. Fred\u2019s eye went to the lowercase \u201cca,\u201d he knew a true professional Microsoft email would capitalize the state abbreviation in an address.<\/li>\n
  3. The address was not a physical isolved address at all.<\/li>\n
  4. There was no PO #. The random string of numbers for the order ID looked bizarre.<\/li>\n<\/ol>\n

    Microsoft PowerApps Portal Domain Used for AiTM (Attacker-in-the-Middle) Attacks<\/h2>\n

    isolved\u2019s Managed Security Service Provider highlighted the use of powerappsportals[.]com in \u201cattacker-in-the-middle” attacks to deal users\u2019 MFA codes.<\/p>\n

    How does the attacker succeed?<\/h3>\n
      \n
    1. The hacker sends the user a phishing email with an attachment.<\/li>\n
    2. This attachment contains the URL (powerappsportal) that leads the victim to the fake Microsoft login.<\/li>\n
    3. Certificate avoids detection because it is confirmed as legitimate.<\/li>\n
    4. Victim enters username and password.<\/li>\n
    5. Hacker intercepts MFA.<\/li>\n
    6. The hacker now has all credentials harvested.<\/li>\n<\/ol>\n

      Recommended Actions<\/h2>\n