Week 11: Chain phishing with Microsoft 365

Languages

Service navigation

Search

Navigation

Week 11: Chain phishing with Microsoft 365

18.03.2025 - Over the past week, we have seen a number of chain phishing attempts targeting Microsoft 365 accounts in organisations. The aim of these attacks is to gain access to accounts in order to steal sensitive data that can be used for further attacks. What makes this type of phishing scam unique is the way that it spreads, in a kind of chain reaction. As one of the most widely used platforms for communication and collaboration in offices, Microsoft 365 accounts are an interesting target for cybercriminals.

Phishing is an attempt by criminals to obtain passwords and other personal information through the use of fake emails, text messages or news stories. Attackers use deceptively real-looking messages to trick their victims into revealing personal information. A particularly dangerous form of phishing is chain phishing, where fake emails are sent from compromised accounts to the victim’s entire contact list, in a kind of chain reaction. Because recipients know the purported sender, they will be less sceptical and more likely to fall for the phishing scam and share private information. A single successful phishing attack can therefore have far-reaching consequences and lead to many more accounts being hacked.

Microsoft 365 being targeted

The widespread use of Microsoft 365 makes it an interesting target for attackers looking to gain access to a wide range of sensitive data and functionality. Cybercriminals use spoofed Office 365 login pages to steal user credentials. One common tactic is to send emails asking users to update their account information. Another is to provide a link to a document that can only be downloaded after logging in to a fake Microsoft page that looks deceptively real. Because users are familiar with the platform, they are more likely to enter their credentials.

In a typical chain phishing attack, an employee of an organisation receives a phishing email that appears to be from a colleague or business partner. The email contains a link to a document purportedly located on a (Microsoft) OneDrive or SharePoint site that requires a Microsoft 365 login to view. The employee enters their login information, unknowingly sharing it with the attackers. The attackers now have access to the employee’s account and use it to send phishing emails to all of the employee’s contacts, including their colleagues, customers or business partners. As these new emails appear to come from a trusted source, recipients are likely to click on the links. The attack is then repeated.

Email that contains a link to a supposed document
Email that contains a link to a supposed document
Fake Micorsoft 365 email
Fake Micorsoft 365 email

Unauthorised access to confidential data

Attackers can use compromised Microsoft 365 accounts not only to send phishing emails, but also to potentially gain access to sensitive corporate data, including personal information and communications with business partners, customers, and other employees. Unauthorised access to confidential communications and other proprietary information stored in services such as Outlook, SharePoint or OneDrive can have serious consequences. Such data leaks leave the victim vulnerable to blackmail, can damage the company’s reputation and lead to legal consequences under Swiss data protection law and, where applicable, the EU’s
General Data Protection Regulation. If your organisation has been hit by a phishing scam, get an overview of potential data leaks and assess the risk for each piece of information.

Similarly, a compromised employee account can be used as a launching pad to attack an entire supply chain: phishing emails sent from a trusted employee account to suppliers or customers can also lead to them being hacked. In addition, hacked accounts can be used to distribute malware.

Careful with forwarding rules

If attackers gain access to your account, they are likely to create an email forwarding rule that sends a copy of all your incoming emails to them. This way, even if you reset your password, they can still read all of the emails you receive. Because they still have access to your email account, they can even sign up for other services later if those services have an email password reset feature.

How you can protect yourself

  • Check email sender addresses carefully. Be suspicious of emails where the sender’s name does not match the address.
  • Generic salutations such as ‘Dear customer’ instead of your name can be a red flag.
  • Watch out for grammar and spelling mistakes.
  • Always check that the web address (URL) is correct before entering a password.
  • Be wary of emails that ask you to do something. This could include clicking on a link or opening a document or attachment.
  • Never enter personal information into a form that you have opened from a link in an email.
  • Where possible, set up two-factor authentication. This provides an extra layer of protection to prevent your account from being hacked.
  • Remember that email senders can easily be faked.
  • If emails are being sent in your name, it is likely that your email account has been hacked. Change your password immediately and check your email filters and forwarding rules. Notify your contacts as they may have received emails in your name.
  • Data security breaches must be reported to the FDPIC if there is a high risk that the privacy or fundamental rights of the persons affected by the data breach are compromised (Art. 24 Data Protection Act). This reporting duty applies to private individuals, companies and federal offices. The report to the FDPIC must be made as soon as possible. You can find the notification form here: https://databreach.edoeb.admin.ch/report

Last modification 18.03.2025

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2025/wochenrueckblick_11.html