Phishing's New Tactics: Abusing Legitimate Microsoft Workflows

Evolving Phishing Techniques

• 💡 Threat actors are increasingly using legitimate, trusted Microsoft workflows to make phishing campaigns more convincing.
• 🎯 This shift involves weaponizing built-in cloud services rather than relying on obviously malicious infrastructure.

Device Code Authorization for Account Takeover

• 🚀 Attackers leverage the Microsoft OAuth device authentication flow to compromise accounts.
• 🔑 Victims are socially engineered into completing a real Microsoft login, granting attackers valid access tokens without sharing passwords.
• ⚠️ Lures often use business-relevant themes like salary bonuses or employee benefits, sometimes involving QR codes.
• 📈 Tools like SquishFish 2 have made this technique scalable and automated, lowering the entry barrier for criminals.

Abusing Microsoft 365 Direct Send

• 📧 This feature allows threat actors to send phishing emails that appear to originate from within an organization.
• 🏠 It's a legitimate Microsoft 365 feature for devices and apps to relay messages without authentication, useful for printers and legacy apps.
• 🎣 Attackers misuse it to deliver unauthenticated messages that look like internal communications, often with QR codes or links related to tasks, priorities, or raises.
• ⚠️ The primary goal is credential harvesting and account takeover, though malware delivery is also possible.

Defense Strategies

• 🛡️ Organizations can defend against device code phishing by blocking device code phishing if possible or using conditional access policies.
• 🔒 For Direct Send, disabling the feature or using mail flow rules to block email from unauthenticated relay IPs is recommended.
• 📣 User training is crucial, emphasizing awareness of new techniques and the importance of verifying unsolicited emails through other channels.
• 🔍 Threat intelligence is vital to stay ahead of emerging phishing kits and tactics.