Security News > 2021 > March > Microsoft warns of phishing attacks bypassing email gateways

An ongoing phishing operation that stole an estimated 400,000 OWA and Office 365 credentials since December has now expanded to abuse new legitimate services to bypass secure email gateways.
The attacks are part of multiple phishing campaigns collectively dubbed the "Compact" Campaign, active since early 2020 first detected by the WMC Global Threat Intelligence Team.
The threat actors also use compromised accounts for SendGrid and MailGun email delivery services, taking advantage of secure email gateways allow lists having them listed as trusted domains.
This allows the phishing messages to bypass them and land in the targets' inboxes, luring them into clicking on embedded hyperlinks that redirect them to phishing landing pages designed to impersonate Microsoft login pages.
The phishing operation continues to expand as it now also abuses Amazon Simple Email Service and the Appspot cloud computing platform-used to develop and host web apps in Google-managed data centers-to deliver phishing emails and generate multiple phishing URLs for each target.
"Because this campaign uses compromised email marketing accounts, we strongly recommend orgs to review mail flow rules for broad exceptions that may be letting phishing emails through," Microsoft advised.
News URL
Related news
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails (source)
- How to Prevent Phishing Attacks with Multi-Factor Authentication (source)
- CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- Microsoft Identifies 3,000 Leaked ASP.NET Keys Enabling Code Injection Attacks (source)
- Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries (source)
- Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts (source)
- Darktrace: 96% of Phishing Attacks in 2024 Exploited Trusted Domains Including SharePoint & Zoom Docs (source)
- Phishing attack hides JavaScript using invisible Unicode trick (source)