Microsoft 365 phishing attacks target finance teams

How these attacks work

1. Exploiting Microsoft’s own systems

Attackers gain control of Microsoft 365 organization tenants by creating fake ones or hijacking real ones. They then send phishing emails that appear legitimate, often mimicking Microsoft billing notifications.

• These emails contain fake customer support numbers.
• Victims calling these numbers are tricked into revealing login credentials or financial details.
• Because emails come from Microsoft’s actual servers, they evade traditional security filters.

Cybersecurity firm Guardz recently uncovered how cybercriminals are exploiting Microsoft’s cloud services to distribute phishing emails. By leveraging Microsoft’s infrastructure, attackers make their messages appear more legitimate, increasing the risk of financial fraud.

2. Device code phishing and Microsoft Teams fraud

Attackers are also using more subtle social engineering tactics to bypass security controls:

• Device code phishing: Victims receive messages pretending to be from Microsoft or other trusted services, urging them to enter a code on an official Microsoft login page. Once entered, attackers gain access without needing passwords or MFA.
• Microsoft Teams vishing: Cybercriminals posing as IT support send phishing emails and then follow up with Microsoft Teams messages. They trick employees into giving remote access, allowing them to install malware or steal financial data.

3. Fake business apps stealing credentials

Another tactic involves malicious apps posing as trusted tools like Adobe Acrobat and DocuSign. These apps request Microsoft 365 permissions under the guise of business use. Once granted access, attackers can:

• Harvest employee email credentials
• Intercept financial transactions
• Deploy further fraud attempts using compromised accounts

Why finance teams are prime targets

Fraudsters know finance professionals control payments and sensitive data. A compromised Microsoft 365 account can enable:

• Business email compromise (BEC): Attackers impersonate executives or vendors to initiate fraudulent payments.
• Invoice fraud: Fake invoices are sent from a real corporate email, making them harder to detect.
• Payroll fraud: Employee payroll accounts can be altered to redirect funds.

How to protect your organization

🔹 Enable multi-factor authentication (MFA). Reduces the risk of unauthorized access.

🔹 Scrutinize email sources. Even if an email looks legitimate, verify before responding to financial requests.

🔹 Limit app permissions. Review what third-party applications can access in Microsoft 365.

🔹 Restrict external Microsoft Teams access. Adjust settings to limit or block unsolicited contact from outside users.

🔹 Train finance teams on phishing risks. Awareness is key to preventing social engineering attacks.

🔹 Be wary of device code requests. If asked to enter a code outside of your usual workflow, confirm with IT before proceeding.

Microsoft 365 is a critical tool for finance teams, but its widespread use makes it a prime target for cybercriminals. Understanding these evolving threats and implementing proactive security measures can prevent costly fraud and data breaches.

Want a deeper dive into protecting your finance team from cyber risks? Get the CFO Cybersecurity Guide and stay ahead of emerging threats.