Craig McDonald 14 July 2020 18:06:56 AEST 9 MIN READ

Warning: Massive phishing campaigns are targeting millions of Office 365 users worldwide. Here’s how you can protect your business.

Office 365 users are prime targets of criminal-intent email threats, and this continues to be reinforced by recent reports of massive phishing campaigns threatening to cause catastrophic damage to businesses.

Cybercriminals are continuing to launch attacks with speed and sophistication – making it absolutely crucial for businesses to enhance their cyber resilience levels if they wish to remain protected. 

In a recent blog post, Microsoft announced that millions of Office 365 users across 62 countries have been targeted by a widespread phishing campaign that is targeting “business leaders across a variety of industries, attempting to compromise accounts, steal information and re-direct wire transfers.”  

The phishing attacks are executed by hackers who pose as employers and other trusted senders in emails sent to users of Office 365. The messages contain attachments that, when clicked, prompt users to grant access to a web application that resembles those “widely used in organisations.” However, in this case, the “familiar-looking” applications are malicious and granting access lets cyber-attackers into users’ Office 365 accounts, according to an article by Bloomberg. 

Microsoft has also warned businesses of another specialised phishing campaign. Known as consent phishing, attackers behind this campaign trick users into granting a malicious app access to sensitive data or other resources. Instead of trying to steal the user’s password, the attacker seeks permission for an attacker-controlled app to access valuable data. 

While  each attack tends to vary, the core steps usually look something like this: 

  1. An attacker registers an app with an OAuth 2.0 provider, such as Azure Active Directory.
  2. The app is configured in a way that makes it seem trustworthy, like using the name of a popular product used in the same ecosystem.
  3. The attacker gets a link in front of users, which may be done through conventional email-based phishing, by compromising a non-malicious website, or other techniques.
  4. The user clicks the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data.
  5. If a user clicks accept, they will grant the app permissions to access sensitive data.
  6. The app gets an authorisation code which it redeems for an access token, and potentially a refresh token.
  7. The access token is used to make API calls on behalf of the user.


If the user accepts, the attacker can gain access to their email, forwarding rules, files, contacts, notes, profile and other sensitive data and resources. 

(via Microsoft) 

Everyday, my team at MailGuard continues to intercept similar phishing attacks spoofing Office 365, like this one from a couple of weeks ago. These are becoming more targeted, complex and pernicious. These attacks come at a time of heightened cyber-risk, in a climate where phishing scams exploiting the COVID-19 crisis are exploding throughout the world. UK’s National Cyber Security Centre reported more than a million phishing scams in a span of two months. Google says it intercepts 18 million COVID-19 scams and phishing emails  every single day, while the Australian Cyber Security Centre issued an alert last week warning users of “a significant increase in reporting in the past few months of COVID themed phishing scams”. Australia’s Prime Minister Scott Morrison has also issued a cybersecurity alert over the past month, announcing that local private and public sector organisations are under a “sophisticated cyber-attack”.  

Taking the current climate into consideration, the phishing campaigns targeting Microsoft users aren’t too surprising. However, they are a stern warning to all business owners to step up our efforts in boosting our cyber resilience levels, and a powerful reminder that cybercriminals are on the move and are continuing to launch attacks of great magnitude. Global susceptibility to phishing is continuing to make the approach an attractive technique for cybercriminals, especially amid all the disruptions posed by the ongoing COVID-19 pandemic, and you can bet these attacks are only going to get worse. 

I am encouraged that many organisations recognise the very real risks of cybercrime and that proactive cybersecurity continues to be a strategic focus in many boardrooms. However, the increasing frequency and sophistication of such attacks means that more work is needed to proactively enhance our cyber defences. We simply cannot afford to become complacent. 

It’s crucial for organisations to be more proactive with their cybersecurity strategies because if they don’t, the consequence of phishing campaigns like these have the potential to destroy businesses. As a cybersecurity expert, leading a company that has defended businesses against malicious email threats since 2001, I know the risks and have seen the devastation first-hand. Email is a critical tool and arguably the most important means of communication among many businesses, making it imperative for companies to implement the right email security solutions & behaviours that can protect their inboxes.  

The solution: Adopting a ‘Defence in Depth’ approach 

I firmly believe adopting a multi-layered approach is fundamental to ensuring your cybersecurity strategy is up to scratch, and that is especially true with email. It’s sometimes referred to as a ‘defence in depth’ approach, designed to defend a system against attacks using several different methods, in the event that if one fails, the others will stop the threat.  

We know that nine out of 10 businesses are being impacted by phishing, even when most have an email security solution in place. Don’t assume that’s as good as it gets. Don’t accept that risk. Explore other solutions to layer your email defences and to protect your brand, your people and your data. No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a third-party cloud email solution like MailGuard to complement Microsoft 365.  

Along with technology, processes and people are also important when facing cybersecurity challenges and aligning all three will help in mitigating any incoming cyber risks, ensuring your business is protected. You can boost your cyber defence capabilities by providing phishing awareness training to your employees so that they’re better equipped to spot the difference between a phishing email and a legitimate one. 

Ann Johnson, Microsoft’s Corporate Vice President, Cybersecurity Solutions Group, summarises what organisations need to do today in order to protect themselves in this period of heightened cyber risk: “To maintain cyber resilience, one should be regularly evaluating their risk threshold and an organisation’s ability to operationally execute the processes through a combination of human efforts and technology products and services.” 

Phishing campaigns like these can be devastating, and they will unfortunately continue to make headlines repeatedly. I implore you, don’t let the lessons learnt from these attacks go to waste. Act now to protect your business. At a time when things are so fragile and, in the balance, the last thing that your organisation needs is a breach. 

If you need more support to protect your business from cybercrime, please reach out to my team at   


For the past few years, MailGuard has been on a journey with Microsoft. We share a very real and major challenge, to stop criminal intent email threats from reaching inboxes. One email is all that it takes to destroy a business. We took that partnership to a new level last year, as we co-developed with Microsoft, to build our brand-new solution that leverages the Microsoft Graph API. We call it MailGuard 365.

Speaking about MailGuard 365, Satya Nadella (CEO, Microsoft) said in a recent keynote that 1 trillion dollars is lost every year because of cyber issues. ...That ability to laterally move faster than the adversary is going to be so important and that’s what we have built with the end-to-end security infrastructure. We have also done this with openness, that means all of what we see, the trillions of signals are in a graph, that is available to ISVs... I had a chance to learn about an ISV doing fantastic work creating threat protection around social engineering, that’s the type of innovation we want to see, where we share the signal and we allow for real defence in depth.”

MailGuard 365, is an evolutionary new offering that can deliver a true, social good, with a global impact.


Exclusive to the Microsoft marketplace, we built it to protect more than 200 million Microsoft 365 users around the world. It works on the inside of Microsoft 365, to stop malicious email threats like phishing, ransomware and BEC [Business Email Compromise], blocking up to 15% more threats with Microsoft 365.

Given that one criminal intent email can cause such a drastic financial impact for businesses, the need for a ‘Defence in Depth’ approach is paramount. It’s the last security check before staff can make a catastrophic mistake, re-scanning emails when they reach a user mailbox.

As a business, you can get started with a simple 30-day free evaluation from Microsoft AppSource and Azure Marketplace. It’s an ideal solution in the current climate.

Stay safe,