COMMENTARY: The shift to cloud-based email has been a game changer for organizations worldwide, with Microsoft 365 (M365) emerging as a dominant platform for business communication.However, this widespread adoption has also made M365 an attractive target for cybercriminals, who now leverage the platform itself to launch highly-deceptive attacks. Unlike traditional phishing schemes that rely on spoofed domains and obvious red flags, these new attacks exploit the inherent trust that employees place in legitimate Microsoft infrastructure.
Attackers find success within M365 because of the ease with which they can create their own M365 tenants. The very nature of SaaS means that setting up an M365 tenant requires little more than an email address, as Microsoft does not enforce rigorous identity verification. This lack of oversight lets attackers quickly spin up fake tenants, impersonate legitimate organizations, and send phishing emails that originate from actual Microsoft domains.These attacks have become increasingly common – whether it’s a credential phishing attack leveraging a feature in M365 to send a fake voicemail notification, or a clever impersonation of Microsoft’s OneDrive to obtain sensitive information. Attacks exploiting Google infrastructure are on the rise as well, with Google being another highly popular (and trusted) cloud email provider for businesses.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts.Read more Perspectives here.]Since these emails come from the provider’s own infrastructure, often exploiting built-in branding features like logos and organizational metadata to craft seemingly legitimate emails, traditional security measures – such as domain reputation analysis, DMARC enforcement, and anti-spoofing – are ineffective.Furthermore, the email security training that’s been ingrained in most of us – emphasizing tactics like looking for misspellings, checking for suspicious sender domains, and avoiding clicking on unknown links – are also ineffective against this new wave of M365-based attacks. Emails sent from attacker-controlled tenants look authentic because, technically, they are.Not only do they originate from legitimate Microsoft domains, thus lacking obvious indicators of compromise, many attackers also use advanced social engineering techniques to enhance their deceptions. For example, instead of simple link-based phishing, we’re seeing more campaigns that direct users to call fraudulent support numbers. In these cases, there are no malicious links to scan or block, making traditional security even less effective.How organizations can defend themselvesGiven the shortcomings of legacy defenses, organizations need to adopt a more sophisticated approach to email security that prioritizes behavioral analysis over static indicators of compromise.Instead of relying on blocklists or “known-bad” domains, organizations should use security tools that analyze email behavior in real-time. Advanced email security tools can build detailed user interaction profiles, assessing normal communication patterns, relationship history, and the tone of messages. Suspicious deviations from these baselines can then be automatically identified and mitigated. For instance, if a certain M365 tenant has never communicated with an organization before, the system will flag those emails for further scrutiny.Users should also not trust an email just because it comes from a Microsoft domain. A behavioral approach to detection ensures that all incoming communications align with established behavioral patterns and relationship histories.Additionally, organizations will need to rethink security education programs. We need to train employees to recognize behavioral anomalies, rather than just grammatical errors or suspicious links. This means refocusing training on recognizing unusual requests, verifying unknown contacts through separate communication channels, and understanding that attackers can exploit even seemingly legitimate M365 emails.Finally, organizations may consider deploying policies that scrutinize external M365 tenants, such as requiring MFA for any sensitive interactions and closely monitoring cross-tenant communications.Microsoft 365 has become a powerful tool for businesses, but its openness and ease of use make it an attractive vector for attackers. By shifting their mindset from relying on outdated indicators to embracing behavioral-based detection and zero-trust, while reinforcing user awareness with modern threat education, organizations can stay ahead of these sophisticated attacks and protect their email from compromise.Mike Britton, chief information officer, Abnormal SecuritySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
