Cybercriminals Exploit Microsoft Entra Invitations in Sophisticated TOAD Attacks
A recent phishing campaign has surfaced, exploiting Microsoft Entra’s guest user invitation system to deceive recipients into contacting attackers masquerading as Microsoft support representatives. This method represents an evolution in Telephone Oriented Attack Delivery (TOAD) tactics, blending cloud-based credential systems with traditional phone-based scams to compromise organizational security.
Exploitation of Microsoft Entra Invitations
Microsoft Entra, formerly known as Azure Active Directory, facilitates collaboration by allowing organizations to invite external users as guests. Attackers have identified a vulnerability in this system, leveraging it to send deceptive invitations from the legitimate email address [email protected]. This approach enables the phishing emails to bypass standard security filters and appear trustworthy to recipients.
Attack Methodology
The attackers register fraudulent organizational tenants with names designed to mimic legitimate Microsoft entities, such as Unified Workspace Team, CloudSync, and Advanced Suite Services. These names are intended to lend credibility to the phishing attempts.
Upon receiving the invitation email, the recipient encounters a message claiming that their Microsoft 365 annual plan requires renewal. The email includes fabricated transaction details, such as reference numbers, customer IDs, and billing amounts around $446.46. The message instructs the user to contact a provided phone number, purportedly for Microsoft Billing Support. However, this number connects directly to the attackers, who then attempt to harvest credentials and gain unauthorized access to the victim’s accounts.
Detection Evasion Techniques
A critical aspect of this campaign is its ability to evade detection. The Message field in Microsoft Entra’s guest user invitations accepts arbitrarily long text, allowing attackers to embed extensive phishing content without triggering traditional security alerts. Since the invitation originates from Microsoft’s legitimate infrastructure, email security systems are less likely to flag these communications as malicious.
The attackers have registered multiple fake tenant domains, including x44xfqf.onmicrosoft.com, woodedlif.onmicrosoft.com, and xeyi1ba.onmicrosoft.com. This network of fraudulent domains enables the continuous deployment of the phishing campaign.
Recommendations for Organizations
To mitigate the risks associated with this phishing campaign, organizations should implement the following measures:
1. Monitor Email Logs: Search for indicators such as the sender address [email protected], subject lines containing phrases like invited you to access applications within their organization, and known attacker tenant names.
2. Block Malicious Phone Numbers: Identify and block the phone numbers associated with these campaigns to prevent employees from inadvertently contacting attackers.
3. User Education: Educate employees on verifying Microsoft communications through official support channels rather than responding to unsolicited invitation-based requests.
4. Enhance Security Protocols: Review and strengthen security protocols related to guest user invitations and external collaborations to prevent exploitation.
By adopting these measures, organizations can better protect themselves against sophisticated phishing attacks that exploit trusted systems and human vulnerabilities.
