Surge in Phishing Attacks Hijacking Legitimate Microsoft Communications

A KnowBe4 Threat Lab Publication
Authors: By James Dyer, Threat Intelligence Lead at KnowBe4 and Lucy Gee, Cybersecurity Threat Researcher at KnowBe4

On March 3, 2025, the KnowBe4 Threat Labs team observed a massive influx of phishing attacks originating from legitimate Microsoft domains.

KnowBe4 Defend detected activity starting on February 24th, with a peak on March 3rd, when 7,000 attacks from microsoft-noreply@microsoft.com were recorded within a 30-minute window.

To carry out this attack, threat actors set up mail routing rules that automatically forwarded legitimate Microsoft invoices to recipients, using sophisticated techniques to include their payload whilst maintaining authentication integrity (including passing DMARC).

This spike comes amid a rise in the exploitation of trusted platforms like DocuSign, PayPal, Google Drive, and Salesforce for phishing emails. Notably, by leveraging Microsoft, cybercriminals are increasing the deliverability and legitimacy of their attacks, making detection and prevention more challenging for both users and security systems.

While we observed a surge of these attacks within a 30-minute window, this was likely due to a delay in Microsoft processing the high volume of emails. However, the attack likely continued for hours on this day, affecting thousands of individuals outside our customer base. 

Quick Attack Summary: 
All attacks analyzed in this campaign were identified and neutralized by KnowBe4 Defend and analyzed by our Threat Labs team. 

Vector and Type: Email phishing
Techniques: Social engineering and legitimate brand hijacking
Targets: Global Microsoft Customers

In this attack, cybercriminals hijacked a legitimate Microsoft invoice and used mail flow rules to auto-forward it to thousands of recipients. By setting up their own Microsoft domain, the attackers ensured the emails passed authentication protocols. They then embedded a fake organization name as their own, which appeared in the body of the email, to socially engineer the victim to call the number present in that ‘name’. Other than this the attacks had no other payload and all links present are legitimate. 

Attack Example: 
Below is an example of an attack detected as part of this campaign, sent from microsoft-noreply@microsoft.com. As the email has been sent from a legitimate Microsoft domain, the attack has passed standard authentication checks such as SPF, DKIM and DMARC, relied upon by traditional security technologies such as Microsoft365 and secure email gateways (SEGs).  

Screenshot of a phishing attack leveraging Microsoft’s legitimate domain with KnowBe4 Defend anti-phishing banners applied

Taking a deeper look into the body of the attack, it details a subscription purchase invoice, where the attacker has genuinely purchased a Microsoft product (Defender for Office 365), complete with an order number and number of licenses. This part of the email is entirely legitimate and all links direct recipients to Microsoft.com. 

The malicious content of the email is located under "Account Information." The "account name" is actually the malicious payload. The email claims that a subscription has been successfully purchased, listing a dollar amount of $689.89 USD. This price is notably high considering the number of licenses supposedly purchased, which is likely to prompt recipients to question the order and call the provided number for a refund if they did not authorize the transaction. 

It is worth noting that normally Microsoft does not offer phone support as a contact method provided by email. Instead, they direct users to an online chat for assistance and clearly state on their website that if further escalation is needed, they will request the user’s phone number and initiate the call themselves.

If the recipient calls the phone number, our team suspects the cybercriminal would impersonate a Microsoft support representative and attempt to steal sensitive information such as bank details or credentials. Alternatively, they could use the call to track active email addresses and phone numbers. This also provides the opportunity to shift the attack from a more secure work device to a less protected mobile device.

How Have Attackers Hijacked Microsoft? 
Our Threat Labs team has investigated how the attacker has executed this sophisticated attack that exploits Microsoft’s infrastructure to successfully send phishing emails.

This ensures the socially engineered payload is embedded in all outgoing emails without the attacker needing to alter the content during transit, which would break authentication. As a result, the attack bypasses traditional solutions that rely on intact authentication protocols (that ensure the email has not been tampered with mid-transit and originates from a legitimate sender). 

Our Threat Labs team found that Microsoft permits up to 300 mailflow rules with an organization's tenancy, with each rule capable of forwarding to over 1,000 recipients. This is where the attacker populates its victims email addresses. 

Mitigating Advanced Threats with Human Risk Management 

The combination of techniques in this attack—hijacking a legitimate domain without breaking authentication, altering mail flow rules to send mass attacks, and using social engineering to move the attack from work devices to mobile—demonstrates an extremely sophisticated approach. This highlights the lengths to which cybercriminals are willing to go to achieve their objectives. 

To effectively combat these threats, it's crucial to pair timely user education and coaching with intelligent anti-phishing solutions. While educating users on the dangers of phishing and how to spot suspicious messages is essential, advanced technological defenses, such as machine learning and AI-powered detection, play a critical role in identifying and neutralizing these threats. Together, these strategies form a comprehensive defense that can better protect individuals and organizations from sophisticated phishing attacks. 

How Defend Detected the Attack
onmicrosoft.com Domain: When organizations register for Microsoft 365 services, Microsoft assigns them a default domain in the format "organization-name.onmicrosoft.com." This domain is mainly used for internal management of services and user accounts within the Microsoft 365 environment.

In this attack, the malicious emails were sent to a specific address (e.g., our-company@) targeting multiple Microsoft tenancies. However, instead of using the organization's public domain, the "to" addresses ended with ".onmicrosoft.com." This mismatch is a key data point that Defend can identify and flag.

Mismatch of "To" Address vs. RSec Address: The "to" address in these emails could be a shared mailbox, while the recipient ("R-to") could be a list of every person within that shared mailbox. This could also apply to distribution lists or general addresses like all@company.com. Defend was able to detect the discrepancy between these addresses and highlight it as malicious. 

Discrepancy Between "To" Address and Domain in the Body: The "to" address was inconsistent with the domain quoted in the email body. 

Linguistic Anomaly
The request for the customer to call a number was atypical for Microsoft communications, raising a red flag. This unusual language was another indicator that the email was malicious.