Phishing Campaign Uses Fake Compliance Notices to Compromise Microsoft Accounts Across 13,000 Organizations
What Happened — A coordinated phishing operation impersonated internal HR/compliance communications, sending fake “compliance notice” emails to ≈ 35 k Microsoft account users in ≈ 13 k organizations across 26 countries. The emails directed victims through a multi‑stage redirect chain to a counterfeit Microsoft sign‑in page that harvested credentials and session tokens via an adversary‑in‑the‑middle (AiTM) attack.
Why It Matters for TPRM —
- Credential‑theft of Microsoft accounts can give attackers unfettered access to SaaS services, email, and downstream third‑party integrations.
- The campaign’s use of legitimate‑looking branding (HR, compliance, Paubox) demonstrates elevated social‑engineering sophistication, raising the risk profile of any vendor that relies on Microsoft identities.
- Broad targeting (13 k orgs) suggests the threat actor may be building a large pool of compromised accounts for future supply‑chain or ransomware extortion.
Who Is Affected — Enterprises of any sector that use Microsoft 365 / Azure AD for identity management, especially those with large employee bases in the United States.
Recommended Actions —
- Verify that all Microsoft‑based authentication flows employ MFA and conditional access policies that block AiTM proxies.
- Conduct phishing‑resilience training focused on “compliance‑notice” lures and reinforce verification of unexpected internal communications.
- Review third‑party risk contracts to ensure vendors enforce secure sign‑in practices and monitor for anomalous token usage.
Technical Notes — The attack leveraged a phishing email with a PDF attachment, a Cloudflare CAPTCHA, and a fake sign‑in page that proxied credentials to the real Microsoft login, capturing OAuth tokens without needing the password or second factor. No CVE was involved; the vector is pure social engineering. Source: Help Net Security