Light Dark
May 20, 2020 By David Bisson 2 min read

Microsoft discovered numerous phishing campaigns in which malicious actors attempted to spoof its new Azure AD sign-in page.

Microsoft Security Intelligence said that the spoofing attempts against its new Azure AD sign-in page first appeared in its Office 365 Advanced Threat Protection (ATP) data on May 14. In one of the operations disclosed by Microsoft that same day, malicious actors sent out attack emails with the subject line, “Business Document Received.” The messages attempted to trick recipients into clicking on what appeared to be a OneDrive document. In reality, the attachment was a PDF document that redirected recipients to a phishing site designed to look like Microsoft’s newly redesigned sign-in page.

Leveraging dozens of phishing sites, the campaign described above and others like it arrived approximately three months after the tech giant announced an update to its sign-in page. That change boiled down to visual user interface (UI) modification of the page’s background image so that the sign-in process would consume less bandwidth and load pages more quickly, as Microsoft explained at the time.

A Sign of Phishers’ Desire to Continually Adapt

The Azure AD spoofing campaigns described above represent just the latest attempt by phishers to adapt to changing times. Most commonly, this takes the form of digital fraudsters capitalizing on well-publicized disasters. Such was the case in 2010 when Forcepoint reported on scams surrounding an earthquake in Haiti. The same was true in October 2018 when Proofpoint uncovered phishing schemes leveraging Hurricane Michael as a lure. It’s therefore fitting that malicious actors are ramping up spam activity right now, as IBM Security revealed in a joint study with Morning Consult.

Defend Against Spoofed Azure AD Phishing Attacks

Security professionals can help their organizations defend against adaptive phishing attacks by building a robust security awareness training program. This type of initiative can help keep the workforce educated with regard to evolving phishing attacks and techniques. Additionally, infosec personnel should seek to balance these human controls with technical controls such as network segmentation and the implementation of a least privilege model.

 |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

May 1, 2024

New proposed federal data privacy law suggests big changes

3 min read - After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations. With the American Privacy Rights Act of 2024, the U.S. government established…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature