Microsoft 365 users are currently at risk from a sophisticated and stealthy wave of cyberattacks that exploit the inherent trust placed in official Microsoft notifications and communications. These threat campaigns cleverly leverage Microsoft’s own infrastructure, such as authenticated Microsoft 365 email flows and collaboration tools like Teams, to bypass traditional security defenses and launch business email compromise (BEC) and phishing attacks.

How the Attack Operates

The attackers are exploiting the trust embedded in genuine Microsoft 365 notifications by sending malicious emails and notifications that pass standard email authentication protocols including SPF, DKIM, and DMARC. This ensures that, despite carrying malicious payloads, these communications are viewed as authentic by many security filters.

One prevalent tactic involves the use of mailflow rules within Microsoft 365 tenancies. Attackers create or abuse existing mailflow rules to automatically forward what appear to be legitimate Microsoft billing or subscription invoices to thousands of recipients. These emails include legitimate elements formatted to look like valid Microsoft Defender or Office 365 invoices but embed malicious social engineering traps. For example, a suspiciously high subscription cost is used to provoke concern, prompting recipients to call a phone number controlled by attackers instead of using official Microsoft support channels. This induces recipients to divulge sensitive information or grant remote access under false pretenses.

Moreover, attackers have taken advantage of Microsoft Teams' default configuration that permits external users to initiate chats or calls. Cybercriminal groups impersonate IT support or help desk personnel via Teams to socially engineer victims into granting remote assistance access or downloading malicious software disguised as legitimate updates. This blend of email bombing with overwhelming fake notifications and sophisticated social engineering through Teams calls amplifies the likelihood of successful intrusions.

Threat Actor Techniques and Malware

Two main threat groups identified, known as STAC5143 and STAC5777, have leveraged advanced malware deployment alongside social engineering. STAC5143 is noted for using obfuscated Python and Java malware with encrypted command and control channels, whereas STAC5777 has employed dynamic-link library (DLL) side-loading and Windows lateral movement techniques like WinRM and RDP, culminating in ransomware attempts such as Black Basta deployment.

Additionally, a highly insidious device code phishing technique has emerged, employed by the group Storm-2372. Instead of traditional password phishing, attackers send fake device code invitations through messaging platforms like WhatsApp and Microsoft Teams. When victims enter these codes on genuine Microsoft sign-in pages, attackers steal authentication tokens, bypassing passwords entirely and gaining persistent access to emails and cloud resources. This attack exploits Microsoft Authentication Broker’s client ID to register attacker-controlled devices in Microsoft Entra ID, creating stealthy, long-lasting backdoors.

Implications for Microsoft 365 and Windows Users

These attacks highlight critical vulnerabilities in Microsoft 365 and the security assumptions organizations make about the Microsoft ecosystem. Because the malicious emails pass stringent email authentication and originate from valid Microsoft domains, they evade many traditional security systems. Combined with social engineering tactics and the abuse of collaboration and remote assistance tools, this challenges IT teams to rethink their defensive postures.

Defensive Measures and Recommendations

To mitigate these sophisticated threats, organizations and users should adopt a multi-layered security approach:

  • Restrict External Communications in Teams: Configure Microsoft Teams to disable or tightly control external user invitations and calls to prevent unauthorized access attempts.
  • Multi-Factor Authentication (MFA): Enforce MFA universally across all Microsoft 365 logins to prevent token misuse and credential-based account takeovers.
  • Monitor and Audit Mailflow Rules: Regularly review mailflow rule configurations in Microsoft 365 to identify and eliminate unauthorized or suspicious forwarding rules.
  • Enhanced Employee Training: Educate employees about the tactics used in these attacks, emphasizing vigilance against unsolicited phone calls, suspicious invoices, and unexpected device code authentication requests.
  • Use Advanced Threat Detection: Deploy machine learning and heuristic-based security tools to detect anomalous email patterns, token misuse, and lateral movement within networks.
  • Limit Device Code Authentication: Disable or restrict device code authentication flows unless explicitly required; use conditional access policies in Microsoft Entra ID to limit device and network access.
  • Patch and Update Systems: Ensure all Microsoft 365 applications and Windows systems are current with security patches to reduce vulnerabilities.
  • Verify Support Channels: Instruct users to confirm Microsoft support channels independently, as legitimate Microsoft technical support rarely utilizes unsolicited phone calls.

Broader Industry Impact

This wave of attacks is part of a larger trend of abusing trusted platforms to subvert users’ confidence in digital communications. Similar exploitation attempts have been reported against other platforms like DocuSign, Google Drive, and Salesforce, underscoring the universal challenge of defending against social engineering combined with technical sophistication.

Conclusion

The current attack waves exploiting Microsoft 365 demonstrate that even trusted, well-established platforms are not immune from deception. The combination of legitimate email authentication, mailflow rule abuse, device code phishing, and collaboration tool exploitation creates a complex threat environment requiring vigilant, adaptive defenses. Organizations integrating Microsoft 365 with Windows environments must prioritize layered security strategies, continuous monitoring, and comprehensive user education to safeguard their digital assets in this evolving cybersecurity landscape.

For detailed threat intelligence and mitigation guidelines, cybersecurity teams should consult resources from Microsoft and cybersecurity firms like Sophos and KnowBe4, which have provided extensive analyses and indicators of compromise related to these attacks.