Warning: Massive phishing campaigns are targeting millions of Office 365 users worldwide

Posted by Craig McDonald on Jul 30, 2020 10:58:23 AM


Office 365 users are prime targets of criminal-intent email threats, and this continues to be reinforced by recent reports of massive phishing campaigns threatening to cause catastrophic damage to businesses. 

Cybercriminals are continuing to launch attacks with speed and sophistication – making it absolutely crucial for businesses to proactively review and enhance their cybersecurity measures if they wish to remain protected.  
As you continue supporting your customers and helping them stay cyber resilient, share the below blog containing a detailed summary of these widespread phishing campaigns with your customers to raise their awareness about the type of cyber-attacks that are currently circulating, the lessons they can learn from these attacks & the steps businesses can take to defend themselves.


In a recent blog post, Microsoft announced that millions of Office 365 users across 62 countries have been targeted by a widespread phishing campaign that is targeting “business leaders across a variety of industries, attempting to compromise accounts, steal information and re-direct wire transfers.”   

The phishing attacks are executed by hackers who pose as employers and other trusted senders in emails sent to users of Office 365. The messages contain attachments that, when clicked, prompt users to grant access to a web application that resembles those “widely used in organisations.” However, in this case, the “familiar-looking” applications are malicious and granting access lets cyber-attackers into users’ Office 365 accounts, according to an article by Bloomberg.  

Microsoft has also warned businesses of another specialised phishing campaign. Known as consent phishing, attackers behind this campaign trick users into granting a malicious app access to sensitive data or other resources. Instead of trying to steal the user’s password, the attacker seeks permission for an attacker-controlled app to access valuable data.  

While  each attack tends to vary, the core steps usually look something like this:  

  1. An attacker registers an app with an OAuth 2.0 provider, such as Azure Active Directory.
  2. The app is configured in a way that makes it seem trustworthy, like using the name of a popular product used in the same ecosystem. 
  3. The attacker gets a link in front of users, which may be done through conventional email-based phishing, by compromising a non-malicious website, or other techniques. 
  4. The user clicks the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data. 
  5. If a user clicks accept, they will grant the app permissions to access sensitive data. 
  6. The app gets an authorisation code which it redeems for an access token, and potentially a refresh token. 
  7. The access token is used to make API calls on behalf of the user. 


If the user accepts, the attacker can gain access to their email, forwarding rules, files, contacts, notes, profile and other sensitive data and resources.  

(via Microsoft)  

My team at MailGuard is also continuing to intercept similar phishing attacks spoofing Office 365, like this one from last month. These are becoming more targeted, complex and  pernicious. These attacks come at a time of heightened cyber-risk, in a climate where phishing scams exploiting the COVID-19 crisis are exploding throughout the world. Australia’s Prime Minister Scott Morrison has also issued a cybersecurity alert last month, announcing that local private and public sector organisations are under a “sophisticated cyber-attack”. 

Let's renew our efforts in helping our customers adopt a ‘Defence in Depth’ approach 

Taking the current climate into consideration, the phishing campaigns targeting Microsoft users aren’t too surprising. However, they are a powerful reminder for all of us to step up our pace in ensuring our customers have the necessary tools and measures in place to stay protected. They stand as irrefutable evidence that cybercriminals are on the move and are continuing to launch attacks with speed and sophistication.  

It’s crucial to renew our efforts in improving our customers’ cyber resilience, because if we don’t, the consequences of phishing campaigns like these could be severe. As a cybersecurity expert leading a company that has defended businesses against malicious email threats since 2001, I know the risks and have seen the devastation first-hand. Email is a critical tool and arguably the most important means of communication among many businesses, making it imperative for companies to implement the right email security solutions & behaviours that can protect their inboxes. 

A multi-layered approach is fundamental to ensure our customers’ cybersecurity is up to scratch. We know that nine out of 10 businesses are being impacted by phishing, even when most have an email security solution in place. No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or G Suite, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a cloud email security solution like MailGuard to complement Microsoft 365.   

Ann Johnson, Microsoft’s Corporate Vice President, Cybersecurity Solutions Group, summarises what organisations need to do today in order to protect themselves in this period of heightened cyber risk: “To maintain cyber resilience, one should be regularly evaluating their risk threshold and an organisation’s ability to operationally execute the processes through a combination of human efforts and technology products and services.”  


Phishing campaigns like these can be devastating, and they will unfortunately continue to make headlines. It's crucial as trusted advisors, that we help businesses build out effective cybersecurity strategies, we don’t let the lessons learnt from these attacks go to waste. At a time when things are so fragile and, in the balance, the last thing that any business needs is a breach.  

Talk to us

MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.

Australian partners, please call us on 1300 30 65 10

US partners call 1888 848 2822

UK partners call 0 800 404 8993

We’re on Facebook, Twitter and LinkedIn.


Topics: Industry News Data Privacy Alastair MacGibbon Cybersecurity expert Business security cybersecurity advice partners technology EOFY COVID-19

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all