Anatomy of an Office 365 Phishing Attack

We recently had to assist a customer in dealing with a phishing attack against an Office 365 user’s account.

What is Phishing?

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site.

Phishing is an example of social engineering techniques being used to deceive users. Users are often lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, online payment processors or IT administrators.

Excerpt from Wikipedia (

What Happened?

The user received an email requesting feedback on an email sent earlier. The user was distressed enough by the email to respond and apologize, whereupon the attackers sent a follow up email directing the user to a file to be downloaded.

Clicking the link loads a login page, requesting the user’s Office 365 credentials, whereupon the user is directed to some documents. At this stage the documents don’t really matter, and if the user does not realise that they’ve entered their credentials into a bogus site, their account is wide open.

The attackers then take their time reviewing the user’s email inbox, to identify a plausible method of extracting a fraudulent invoice for payment.

When they are ready to act, they enable a forwarding rule on the user’s Inbox, directing all emails to an external email address, in order to respond to any queries and send the invoice for processing. It seems they target approximately $5k – $10k, probably to remain under the compliance and authorization radar. They then trigger a mass email from the user’s inbox, to spread their attack to as many contacts in the user’s mail account as possible prior to the Office 365 SPAM rules shutting the mailbox down. Finally, the attackers tend to delete as many emails as is easy to get to, in order to wipe out the traces of their intent. They do a hard delete, which means the email goes straight to jail, and does not first stop in the Deleted Items folder.

How do you know you’ve been caught? The first real indication is the forwarding rule which triggers a “Low-Severity Alert” on Office 365 to Administrators. Other indicators are if the user’s Inbox starts behaving strangely, or access to the Inbox becomes erratic. Also watch out for new rules being created.

What should you do when your email account has been compromised? There are some excellent articles posted by Microsoft, which can be found here (, on how to respond and what to do next.

How did we respond?

  1. Reset the User’s Password
  2. Block the User’s Account
  3. Remove any Administrative Roles the User may have on Office 365
  4. Disable the mail forwarding rule via Outlook Web Access (the forwarder does not seem to come up in either the Exchange Management Console or the local Outlook client)
  5. Disable any suspicious rules in the Outlook Client (We disabled them to allow us to interrogate them in more detail as part of the post mortem)
  6. Run PowerShell script to check the audit logs, and attempt to create a timeline of events
    1. See here for the PowerShell syntax –
    2. And here for an excellent implementation (Although it’s a bit outdated – based on Exchange 2010/2013) –
  7. If email entries were deleted, restore any recoverable items using the Restore-RecoverableItems PowerShell commandlet
    1. See here:
  8. Once the emails have been restored and operational control of the mailbox returned to the correct user, you can reset the password and enable the account

What can be done?

To avoid phishing attacks in the future, it is highly recommended enabling Multi-Factor Authentication for all users. Additionally, it would also be useful to customize the Office 365 login page, so that users will more easily identify phony login pages.

In addition to these physical measures, it is important that users are made aware of the dangers of phishing and trained on how to spot phony or suspicious links and pages. Phishing is a social engineering attack and it relies on the resemblance to a credible source to solicit the user’s details.

The instances and successes of Phishing has certainly increased over the last period, with numerous reports received by Azuro, and even reported on in the news. Be alert.

Other helpful links:

  1. Connecting to Exchange Online via PowerShell –
  2. Office 365 Security Incident Response –
  3. Security best practices for Office 365 –
  4. Manage mailbox Auditing –

36 thoughts on “Anatomy of an Office 365 Phishing Attack

  1. BrettKam - September 20, 2019

    [url=]can prednisolone cause flushness [/url]
    [url=]cialis effects on blood sugar [/url]
    [url=]can you take nitra flex gat with cialis before exercising [/url]
    [url=]tadalafil free trial update [/url]
    [url=]kamagra-100 [/url]

  2. CharlesInemy - September 20, 2019

    [url=]is prednisone 20 mg tablet for dogs and humans the same [/url]

  3. Douglasfield - September 12, 2019

    [url=]this site[/url] [url=]setraline purchase[/url] [url=]propecia finasteride[/url] [url=]flagyl online pharmacy[/url] [url=]doxy[/url] [url=]buy cheap levitra online[/url] [url=]generic allopurinol[/url] [url=]colchicine 6 mg[/url]

  4. BrettKam - September 12, 2019

    [url=]generic for allopurinol[/url] [url=]nolvadex tamoxifen[/url] [url=]Metformin For Sale[/url] [url=]elimite cream for sale[/url]

  5. BrettKam - September 12, 2019

    [url=]buy generic propecia[/url]

  6. Stewartwheet - September 12, 2019

    [url=]buy doxycycline online 270 tabs[/url] [url=]homepage here[/url] [url=]prednisolone[/url] [url=]buy tenormin[/url] [url=]propranolol 20 mg[/url] [url=]inderal[/url] [url=]tretinoin cream price[/url] [url=]buy zoloft without prescription[/url]

  7. BrettKam - September 11, 2019

    [url=]where to buy kamagra[/url] [url=]valtrex price[/url] [url=]ventolin nebulizer[/url] [url=]buying levitra[/url] [url=]viagra price[/url] [url=]zoloft generic brand[/url] [url=]levrita[/url] [url=]drug levitra[/url] [url=]where to buy prednisone[/url]

  8. Stewartwheet - September 11, 2019

    [url=]best place buy viagra online[/url] [url=]albuterol hfa[/url] [url=]buy metformin without a proscription[/url] [url=]website here[/url] [url=]acyclovir[/url] [url=]propecia where to buy[/url] [url=]buying levitra[/url] [url=]generic for metformin[/url] [url=]cipro antibiotics[/url]

  9. BrettKam - September 10, 2019

    [url=]cheap finasteride[/url]

  10. Bennybrono - September 10, 2019

    [url=]prices levitra[/url]

  11. Stewartwheet - September 10, 2019

    [url=]buy tenormin[/url] [url=]as an example[/url] [url=]lipitor 40 mg[/url] [url=]generic cialis[/url] [url=]avodart 0.5 mg[/url] [url=]metformin[/url] [url=]zithromax[/url] [url=]no prescription lisinopril[/url] [url=]20 mg levitra[/url] [url=]propecia viagra[/url] [url=]where can i buy propecia[/url] [url=]atenolol 75 mg[/url] [url=]best cialis prices[/url] [url=]propecia/finasteride[/url] [url=]lotrisone lotion[/url] [url=]buy doxycycline without prescription[/url] [url=]propranolol hemangioma[/url] [url=]inderal[/url] [url=]advair diskus generic[/url]

  12. BrettKam - September 10, 2019


  13. Douglasfield - September 10, 2019

    [url=]brand viagra[/url] [url=]example here[/url] [url=]acyclovir cream price[/url] [url=]sildenafil citrate vs viagra[/url] [url=]generic for propecia[/url] [url=]generic cialis[/url]

  14. Bennybrono - September 10, 2019

    [url=]kamagra for sale[/url]

  15. Douglasfield - September 10, 2019

    [url=]prednisone prices[/url] [url=]prednisolone sodium[/url] [url=]cialis viagra levitra[/url] [url=]doxycycline online[/url] [url=]tenormin no prescription[/url]

  16. Bennybrono - September 9, 2019

    [url=]proventil albuterol[/url]

  17. CharlesInemy - September 9, 2019

    [url=]valtrex[/url] [url=]where to buy accutane online[/url] [url=]ordering metformin on line without a prescription[/url] [url=]buy viagra 100mg[/url] [url=]lasix loop diuretic[/url] [url=]propranolol la[/url] [url=]buy inderal online[/url] [url=]generic viagra from canada pharmacy[/url] [url=]allopurinol zyloprim[/url] [url=]levitra pharmacy[/url] [url=]metformin hcl 1000mg[/url] [url=]purchase azithromycin 500 mg tablets[/url] [url=]microzide[/url] [url=]where to buy cephalexin[/url] [url=]metformin hcl er[/url] [url=]lexapro[/url] [url=]zoloft tablets[/url]

  18. Stewartwheet - September 9, 2019

    [url=]generic cialis from canada[/url] [url=]prednisone[/url] [url=]cheap finasteride[/url] [url=]sildenafil drug[/url] [url=]buy prednisolone[/url] [url=]buy nolvadex tamoxifen citrate[/url] [url=]buy zovirax[/url] [url=]buy accutane from canada[/url] [url=]metformin glucophage[/url]

  19. Douglasfield - September 9, 2019

    [url=]zoloft[/url] [url=]acyclovir cream price[/url] [url=]buy xenical[/url] [url=]levitra buy[/url] [url=]diclofenac online[/url] [url=]prozac price[/url] [url=]elimite cream for sale[/url] [url=]here i found it[/url] [url=]buy lotrisone online[/url] [url=]get more information[/url]

  20. Bennybrono - September 9, 2019

    [url=]metformin hcl er[/url]

  21. Bennybrono - September 8, 2019


  22. Stewartwheet - September 8, 2019

    [url=]albuterol[/url] [url=]where can i buy propecia[/url] [url=]here[/url] [url=]generic for metformin[/url] [url=]generic tadacip[/url] [url=]tenormin no prescription[/url] [url=]20 mg propranolol[/url]

  23. BrettKam - September 8, 2019

    [url=]avodart 0.5 mg[/url] [url=]zithromax without prescription[/url] [url=]propranolol 60 mg[/url] [url=]prednisone 5 mg[/url] [url=]buy tadacip[/url]

  24. Douglasfield - September 8, 2019

    [url=]lipitor[/url] [url=]generic for avodart[/url] [url=]doxycycline 100mg acne[/url] [url=]cheap levitra[/url] [url=]buy viagra without a prescription[/url] [url=]propranolol 20 mg[/url] [url=]bupropion[/url]

  25. Bennybrono - September 7, 2019

    [url=]buy propecia online no rx[/url]

  26. Stewartwheet - September 7, 2019

    [url=]levaquin[/url] [url=]check out your url[/url] [url=]generic for inderal[/url] [url=]advair[/url] [url=]buying zithromax online[/url] [url=]buy cheap levitra[/url] [url=]atenolol 50 mg[/url] [url=]buy retin-a cream[/url] [url=]buy diclofenac sodium[/url] [url=]read this[/url] [url=]lipitor[/url] [url=]prednisone[/url]

  27. Douglasfield - September 7, 2019

    [url=]prozac no prescription[/url] [url=]tretinoin cream 0.05 price[/url] [url=]cialis online canada pharmacy[/url] [url=]purchase albuterol inhaler[/url] [url=]cephalexin[/url] [url=]flagyl over the counter[/url] [url=]sildenafil from india[/url]

  28. CharlesInemy - September 7, 2019

    [url=]valtrex price[/url] [url=]flagyl over the counter[/url] [url=]colchicine[/url]

  29. Stewartwheet - September 7, 2019

    [url=]propecia for less[/url] [url=]levitra[/url] [url=]ventolin inhalers[/url] [url=]buy tadacip[/url] [url=]vibramycin[/url] [url=]read this[/url] [url=]buy allopurinol[/url] [url=]viagra canadian pharmacy[/url] [url=]levitra[/url] [url=]azithromycin tablets 250 mg[/url] [url=]doxycycline online[/url] [url=]click for source[/url] [url=]generic viagra from canada pharmacy[/url]

  30. BrettKam - September 7, 2019

    [url=]tretinoin cream retin a[/url] [url=]where to buy generic propecia[/url] [url=]vermox 100mg[/url]

  31. Douglasfield - September 7, 2019

    [url=]erythromycin ethylsuccinate[/url] [url=]where to buy flagyl online[/url]

  32. Matpleaky - August 7, 2019

    Toronto Drug Store Online Taking Amoxicillin During Ovulation [url=]cialis without a doctor’s prescription[/url] Buy Generic Accutane Online No Prescription

  33. Matpleaky - August 4, 2019

    Viagra 25 Mg Order [url=]viagra[/url] Propecia Altere Manner

  34. Matpleaky - July 29, 2019

    Commander Xenical Cialis For Sale Onlone Cialis Pharmacie [url=]viagra[/url] Cialis Compresse 20 Mg Buy Zithromax In The Uk Stendra 50mg

  35. Hickoryfoodfactory.Com - June 16, 2019

    Pretty great post. I just stumbled upon your blog and
    wanted to say that I’ve really loved surfing around your blog posts.
    After all I’ll be subscribing in your rss
    feed and I am hoping you write once more soon!

  36. canada goose outlet - June 4, 2019

    Its like you learn my thoughts! You seem to understand a lot
    about this, like you wrote the guide in it or something. I think that you simply can do with some p.c.
    to force the message home a bit, but other than that, that is fantastic blog.

    An excellent read. I’ll certainly be back.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top