A cybercriminal wearing a mask to obscure their identity is looking at a screen displaying login credentials.

Microsoft 365 Phishing Attack Reveals New Spoofing Technique

Microsoft 365 has lately been the focus of a new wave of phishing attacks, showing an alarming rise in cybercriminal activities. Attackers are using trusted cloud services to bypass email security measures, sending malicious emails straight to unaware victims.

It has been found, based on information received by Vade’s Threat Intelligence and Response Centre (TIRC), that the offending email contains a harmful HTML attachment that is loaded with JavaScript coding.

Carefully designed, this code’s main purpose is to obtain the recipient’s email credentials while quietly changing the homepage. It does this by using information taken from a variable connected to a callback function and data collected from another variable.

Malicious JavaScript code using callback function
Malicious JavaScript code using a callback function (VadeSecure)

Investigators cracked the base64-encoded cypher while researching a malicious domain, uncovering information related to Microsoft 365 phishing attacks.

The HTML file attached to the email shows a strong similarity to the source code, which was found through routine checks of periodic-checkerglitchme. It reveals that attackers are using glitch[.]me to host malicious HTML websites.

Phishing attack on Microsoft 365 using HTML Attachment

A malicious HTML file is attached to an email that the unaware victim receives, starting the attack. Without knowing it, the victim is redirected to a fake Microsoft 365 page on their web browser after opening this file. They are lured in to provide their login information on the deceptive website. Once this is completed, the attackers quickly gather this data for malicious use.

Microsoft 365 Fake Landing Page
Microsoft 365 Fake Landing Page (VadeSecure)

The infamous “eevilcorp” domain directs users to an authentication page for the Hawkeye programme. It is important to remember that security experts, including Talos, thoroughly assessed the original HawkEye keylogger and classified it as a malware kit that first appeared in 2013.

Logging into a Microsoft 365 portal is a common occurrence that doesn’t usually raise any suspicions. Unfortunately, when users log into these fake login portals, the malicious credential-stealing software stealthily sends the collected data to the real login site in the background. Without the victims ever realising they have been scammed, the attackers can successfully log in using this trick.

According to Egress 2022 research titled “Fighting Phishing The IT Leader’s Perspective”, 85% of organisations that used Microsoft 365 in the previous 12 months were victims of phishing.

Furthermore, 40% of the organisations in this category were victims of credential theft. These findings show the major challenges that organisations deal with in tackling phishing attacks and protecting their login information.


Comprehensive understanding is essential for CISOs responsible with assuring the secure adoption and use of Microsoft 365. Such individuals must carefully assess the risks that their organisation could face in order to balance the security layers across persons, technology resources, and processes.

Understanding Microsoft 365’s limitations is important, as is avoiding the use of a generalised approach to security. Finding the solutions that will naturally fit into your company environment and help you manage and reduce risks requires having a comprehensive, well-rounded understanding of the potential threats.

It is highly suggested for users to develop an awareness of the threat type and to stay away from trying to read or unlock unexpected messages from external sources. It is advised by experts to use Multi-Factor Authentication (MFA) to increase the security of Microsoft 365 accounts. Even though MFA does not provide a 100% assurance against breaches, it significantly increases the difficulty for potential attackers looking to compromise their target’s endpoints. MFA is regarded as a standard practice in the security industry.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology, you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks. Phishing Tackle provides Microsoft 365-themed landing pages to help users learn to detect fake sign-in pages.

Recent posts