CríticoActivoTendencia
Critical Risk
95%

Microsoft 365 Phishing

Business email compromise and OAuth consent phishing targeting M365 tenants.

#phishing#bec#microsoft-365

Resumen de la amenaza

Microsoft 365 phishing targets organizational credentials through fake login portals, OAuth consent grants, and session cookie theft aimed at BEC and data exfiltration.

Comportamiento del ataque

  • Fake Microsoft login on typosquat domains
  • Malicious OAuth app consent requests
  • Mailbox rule creation for persistence

Métodos de infección

  • Spear-phishing to executives
  • Shared document lure emails
  • Teams and SharePoint notification abuse

Síntomas e indicadores

  • Mailbox forwarding rules you did not create
  • OAuth apps with excessive permissions
  • Impossible travel sign-in alerts

Mitigación inmediata

  • Revoke suspicious OAuth grants in Entra ID
  • Reset passwords and invalidate sessions
  • Audit mail flow rules

Guía de eliminación

  • Remove malicious inbox rules
  • Review SharePoint external sharing
  • Enable conditional access policies

Métodos de prevención

  • Phishing protection and safe link scanning
  • Phishing-resistant MFA
  • User awareness training

Indicadores de telemetría

  • Login from anonymizing proxies
  • Consent grant to unknown app IDs
  • Auto-forward to external domains

Attackers trick users into approving malicious apps that gain persistent API access to mail, files, and contacts without storing passwords.

AntiMatter AV — Enterprise Cybersecurity Platform