Microsoft 365 users targeted in new phishing attack

What happened

A new phishing campaign is exploiting Microsoft 365 infrastructure for user account takeovers. Attackers insert phishing lures directly into legitimate Microsoft emails to bypass its conventional security measures, making it harder for email security systems to detect the attack.

What was said

Ron Lev, a security researcher at Guardz Research, explained how attackers are refining their method, stating, “Unlike traditional phishing, which relies on lookalike domains or email spoofing, this method operates entirely within Microsoft’s ecosystem, bypassing security measures user skepticism by leveraging native Microsoft 365 infrastructure to deliver phishing lures that appear authentic and blend in seamlessly.”

Dor Eisner, CEO of Guardz, warned that this attack is especially dangerous as it relies on Microsoft’s native infrastructure. “By exploiting the inherent trust in Microsoft’s cloud services, this phishing campaign is significantly more challenging for security teams to detect and mitigate,” Eisner says.

How the attack works

According to security researchers at Guardz Research, hackers use the following attack strategy:

• Infrastructure acquisition: Threat actors gain control over multiple Microsoft 365 organization tenants by registering new tenants or compromising existing ones. These tenants are strategically used to manipulate trust mechanisms within the Microsoft 365 ecosystem.
• Technical configuration: Threat actors create administrative accounts under the .onmicrosoft.com domain, using default settings to evade detection. They also enable mail forwarding abuse and anti-phishing evasion tactics.
• Deception preparation: The attackers configure a second tenant’s organization name to mimic legitimate Microsoft notifications, allowing them to inject phishing lures that appear as trusted Microsoft communications.
• Attack execution: Hackers initiate a trial subscription from the first tenant to generate authentic Microsoft billing emails. These emails, appearing completely legitimate, contain manipulated organization names and phishing links, bypassing security checks like DMARC and anti-spoofing mechanisms.
• Victim engagement: The phishing emails include fake support contact numbers and urgent notifications, tricking victims into providing credentials or calling fraudulent support lines.

Why it matters

According to Paubox’s 2025 Healthcare Email Security Report, 43.3% of email-related breaches involved Microsoft 365. This high percentage shows how popular the platform is becoming among cybercriminals, who exploit its infrastructure to carry out attacks. 

These phishing emails originate from legitimate Microsoft services, bypassing security filters, and placing Microsoft 365 users, especially businesses and enterprises, at higher risk of credential theft, financial fraud, and business email compromise (BEC) attacks.

Learn more: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

Who needs to comply with HIPAA?

HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle protected health information (PHI).

Does HIPAA apply to phishing attacks in healthcare?

Yes, phishing attacks in healthcare fall under Health Insurance Portability and Accountability Act (HIPAA) regulations. Phishing attacks compromise the privacy and security of PHI and can lead to severe penalties, including fines and reputational damage.

Can DMARC help healthcare organizations prevent email-based breaches of patient information?

Yes, DMARC can help healthcare organizations prevent email-based breaches of patient information by verifying the authenticity of email messages, detecting and blocking unauthorized emails, and reducing the risk of email spoofing and phishing attacks.