CriticalActiveTrending
Critical Risk
95%

Microsoft 365 Phishing

Business email compromise and OAuth consent phishing targeting M365 tenants.

#phishing#bec#microsoft-365

Threat Overview

Microsoft 365 phishing targets organizational credentials through fake login portals, OAuth consent grants, and session cookie theft aimed at BEC and data exfiltration.

Attack Behavior

  • Fake Microsoft login on typosquat domains
  • Malicious OAuth app consent requests
  • Mailbox rule creation for persistence

Infection Methods

  • Spear-phishing to executives
  • Shared document lure emails
  • Teams and SharePoint notification abuse

Symptoms & Indicators

  • Mailbox forwarding rules you did not create
  • OAuth apps with excessive permissions
  • Impossible travel sign-in alerts

Immediate Mitigation

  • Revoke suspicious OAuth grants in Entra ID
  • Reset passwords and invalidate sessions
  • Audit mail flow rules

Removal Guidance

  • Remove malicious inbox rules
  • Review SharePoint external sharing
  • Enable conditional access policies

Prevention Methods

  • Phishing protection and safe link scanning
  • Phishing-resistant MFA
  • User awareness training

Telemetry Indicators

  • Login from anonymizing proxies
  • Consent grant to unknown app IDs
  • Auto-forward to external domains

Attackers trick users into approving malicious apps that gain persistent API access to mail, files, and contacts without storing passwords.

AntiMatter AV — Enterprise Cybersecurity Platform