Within the marketing campaign noticed by Varonis’ forensics specialists, the attacker used PowerShell to ship emails that had been designed to resemble voicemail notifications which included a PDF attachment with a QR code that redirected customers to a web site designed to reap M365 credentials.
Varonis’ researchers identified that the marketing campaign works as a result of no logins or credentials are required, the good host accepts emails from any exterior supply, the “from” handle might be spoofed to any be inside consumer, and the one requirement is that the recipient is inside to the shopper group.
Additional, as a result of it’s routed by way of Microsoft infrastructure and appears to be coming from inside the group, the e-mail bypasses conventional security controls, together with Microsoft’s personal filtering mechanisms which deal with it as internal-to-internal, or third-party instruments that flag suspicious messages primarily based on authentication, routing patterns, or sender fame.
