Multiphase Attacks: One Email Ignites Chaos in Microsoft 365

A multiphase attack combines phishing with spear phishing and insider attack techniques. Difficult to detect and challenging to prevent, multiphase attacks are especially popular in Microsoft 365 due to growing popularity of the platform and the wide range of applications and data that can be breached with a compromised Microsoft 365 account.

What is a multiphase attack?

Phishing attacks were traditionally a single event: a hacker sends a PayPal phishing email to your inbox, tricks you into divulging your account login credentials on a phishing page, and then empties your PayPal account. Rinse and repeat. In a multiphase attack, this initial act of deception is just the beginning.

A multi-phase attack involves first scraping your account credentials via a phishing email and then using the credentials to send phishing or spear phishing emails from the account. For example, the hacker might first send a Microsoft 365 phishing email to compromise your Microsoft 365 account.

OneDrive phishing email
OneDrive phishing email

Then, using your Microsoft 365 account, the hacker, impersonating you, will send a phishing or spear phishing email to someone in your company. Often, spear phishing emails will target users who have the power to execute wire transfers, make purchases, or change direct deposit information. A link in a phishing email might lead to another phishing page designed to scrape additional Microsoft 365 account credentials, or it could initiate a malware or ransomware download.

 Compromised Microsoft 365 account with phishing URL
Compromised Microsoft 365 account with phishing URL

In the above scenario, the email recipient has no reason to suspect that it is not you who sent the email requesting a wire transfer. And an email security filter won’t recognize the attack because the email is sent from a legitimate Microsoft 365 account.

There are many variants on the multiphase attack. Armed with a legitimate account, the attacker can conduct phishing attacks laterally within the organization and also spear phish external business partners and vendors. In one recent case, the SEC revealed that an unnamed American corporation had been fleeced to the tune of $45,000,000 in 14 separate events linked to one multiphase attack.

The main driver of multiphase attacks

With 258 million active business users and a single point of entry into the entire suite, Microsoft 365 is a remarkably fertile environment for malicious behavior. From SharePoint, OneDrive, and Teams file repositories to email accounts, Microsoft 365 hosts a rich collection of sensitive data for businesses around the world, including contact names and email addresses, contracts, and financials.

A single successful phishing attack on a Microsoft 365 user gives a hacker access to all that data. It’s the single biggest driver of compromised Microsoft accounts and the sole reason Microsoft has been the most impersonated brand in phishing attacks in six of the last eight quarters.

How hackers get inside and evade detection from Microsoft

Microsoft 365’s native email security, Exchange Online Protection (EOP), is good at identifying known threats, including bad senders or IPs. If an attacker sent dozens of similar phishing emails to different targets, whether from inside or outside Microsoft 365, EOP would flag them and block future attacks. Therefore, to successfully compromise a Microsoft 365 account, the attacker must make each of their attacks individual and unique.

One way to get past the fingerprint scanning used by EOP and other traditional solutions is by inserting random or invisible text into the messages. Attackers also us homoglyphs, e.g., substituting the Greek letter Beta for the lower case “b” and so forth. Other techniques include:

  • Randomizing content to make each message unique
  • Using images disguised as text to bypass text-analysis filters
  • Bypassing URL domain filtering using shorteners such as bit.ly
  • Using subdomains
  • Abusing redirection mechanisms
  • Distorting images

Mitigating the multiphase attack risk

Multiphase attacks require multi-tiered defenses or the stacking up of security layers. In the same way that you might employ more than one type of firewall to improve your odds of stopping a network-based attack, it makes sense to use a layered approach to Microsoft 365 security to block multiphase attacks.

Because EOP’s fingerprint-based detection is sufficient for known threats, it’s important to maintain the benefits of that native protection while adding another layer of email security that predicts and block unknown, dynamic threats. The challenge to layering email security into Microsoft 365, however, is email architecture. Secure Email Gateways (SEG), for example, sit outside EOP. This architectural design creates a number of limitations:

  • Requires an MX record change
  • Is visible to hackers via a simple MX lookup
  • Can’t scan internal email

To continue to get the benefits from EOP, an add-on email security solution should be integrated with Microsoft 365 via API—able to scan from the inside and complement EOP rather than limit its effectiveness. The solution should also go beyond fingerprint scanning and use a more modern approach to threat detection, with a combination of heuristic rules and artificial intelligence to predict and block attacks.

As for your users, provide phishing training as mistakes arise, e.g. clicking on a phishing URL. Users are more likely to learn from contextual training based on a real event as it happens than annual training.  Finally, trust and act on what your users are reporting. Offer a feedback loop that allows users to report suspicious emails and ensure there is a closed loop with the email filter so that the engine learns from this feedback and continually improves.