Nothing says the bad guys are intent on stealing credentials like testing them while you participate in their phishing attack so they can verify the validity before letting you off the hook.

There are tons of stories where a fake log on to Office 365 is the punchline. But seldom do we see an attacker go the length to develop code that passes the compromised credentials over to Office 365 to check them out mid-attack.

According to the Threat Research Team at Armorblox, a new attack uses lots of well-known brands to aid in tricking users into giving up their Office 365 credentials. Using Amazon’s Simple Email Service to improve deliverability, the attack uses a payment remittance theme to get potential victims to click. A spoofed Office 365 logon page is offered up, but it’s one that passes any provided credentials to Azure Active Directory (AAD) behind the scenes, checks them and then either puts them back to the logon page (in the case of a failed logon) or over to a generic Zoom website page if validated.

The value of an Office 365 credential is pretty high for attackers; it can be used to commit brand and individual impersonation by taking over the compromised account, CEO fraud, business email compromise, infecting or scamming partner or customer organizations, and more.

Users need to be taught via Security Awareness Training to be highly suspicious of any emails that require authentication to Office 365 or any other cloud-based platform. While not all are malicious, it’s important to create an ongoing vigilance within the user so they can assist in helping make the organization more secure.