Research from Guardz warns of a phishing campaign exploiting Microsoft 365. The campaign is also targeting users to take over accounts.

As an initial part of the campaign, malicious actors leverage legitimate Microsoft domains and tenant misconfigurations in business email compromise (BEC) attacks, possibly for the purpose of stealing credentials and enacting account takeover (ATO). 

The malicious actors were observed manipulating several Microsoft 365 organization tenants (both new and compromised), establishing administrative accounts, creating full-text messages impersonating Microsoft transaction notifications, generating a billing by initiating a purchase or trial subscription event, and then using Microsoft 365 infrastructure to send phishing emails. 

Security leaders weigh in

J Stephen Kowski, Field CTO at SlashNext Email Security+:

Security teams should immediately implement multi-layered messaging protection that goes beyond traditional email security controls, as these sophisticated attacks exploit legitimate Microsoft infrastructure to bypass standard defenses. Enable advanced phishing protection that can detect tenant manipulation and organizational profile spoofing, while implementing real-time scanning technology that can identify and remediate threats even after delivery to inboxes. Don’t rely solely on native Microsoft 365 protections — deploy solutions that can analyze communication patterns, detect suspicious behavior across multiple channels, and automatically remove malicious content from all affected user inboxes.

There shouldn’t be inherent trust in any cloud service, as this mindset creates dangerous security gaps that sophisticated attackers readily exploit. Organizations must adopt zero-trust principles when using Microsoft 365, implementing continuous verification and least privilege access even for seemingly legitimate communications from trusted domains. Advanced protection solutions that analyze behavioral patterns, inspect email content for manipulation, and provide real-time threat intelligence are essential to combat attacks that leverage legitimate infrastructure to appear trustworthy.

Rom Carmel, Co-Founder and CEO at Apono:

With this attack, the caller is coming from inside the house to use a movie metaphor. By weaponizing Microsoft 365’s own infrastructure to bypass traditional phishing defenses, this demonstrates that enterprises need to do more to protect themselves. With Just-in-Time (JIT) permissions, organizations can limit administrative access to only when it’s needed, reducing the risk of attackers creating rogue accounts or modifying tenant settings.

Nicole Carignan, Senior Vice President, Security & AI Strategy, and Field CISO at Darktrace:

Despite increased focus on cybersecurity awareness training and email security, organizations and their employees continue to be plagued by successful phishing attempts, including BEC. Between December 2023 and July 2024, Darktrace detected 17.8 million phishing emails across its customer fleet. 

Many tools used by organizations today depend on historical attack data to identify and stop known email threats from reentering inboxes. However, this approach often fails to recognize new or unknown threats. As the sophistication of phishing attacks continue to grow, organizations cannot rely on employees to be the last line of defense against these attacks. Instead, organizations must use machine learning-powered tools that can understand how their employees interact with their inboxes and build a profile of what activity is normal for users, including their relationships, tone and sentiment, content, when and how they follow or share links, etc. Only then can they accurately recognize suspicious activity that may indicate an attack or BEC.

While email has long been the vector of choice for carrying out phishing attacks, threat actors continue to adapt and evolve their tactics to increase success of these attacks. We know that as we innovate, so will threat actors to find new and novel ways to launch malicious campaigns. For example, we saw a rise in the abuse of commonly used services and platforms, including Microsoft Teams and Dropbox, for phishing campaigns in 2024. A proactive security stance which monitors anomalous activity patterns and privileged access paths is essential to stay ahead of these kinds of attacks. Consistent governance spanning all technology portfolios is now table stakes for cyber resilience.  

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security: 

Cybercriminals are finding new ways to exploit trusted platforms like Microsoft 365, using compromised or newly created tenants to send phishing emails that appear legitimate. By manipulating billing notifications and moving victims to phone-based scams, attackers are bypassing traditional email security measures and making these threats harder for organizations to detect.

To counter this, organizations need a layered security approach. Enforcing multi-factor authentication (MFA) is essential for preventing account takeovers, and security teams should actively monitor for unauthorized admin changes within Microsoft 365. Employees should also be trained to recognize suspicious billing emails and avoid engaging with unverified support contacts.

Using a password manager helps prevent credential reuse, which limits the damage if an account is compromised. As phishing tactics evolve, businesses must stay ahead by combining strong authentication, security monitoring and user awareness training.