Azure Spear Phishing - Abnormal Security

Azure Spear Phishing

In this attack, a marketing tool is used to deliver a spear phishing campaign.

Quick Summary of Attack Target

Platform: Office 365
Mailboxes: 15,000 to 50,000
Payload: Malicious Link
Technique: Spear Phishing

What was the attack?

Setup: Utilizing mass email marketing campaigns to deliver phishing emails is one way that attackers try to retrieve unsuspecting employees credentials. In this attack, the email is sent using Microsoft Dynamics, a Customer Relationship Management (CRM) software tool that allows users to send email marketing campaigns. 

Email Attack: The email appears to come from noreply@customervoice.microsoft.com, however email authentication has failed. The first received header indicates the attack is hosted on nam.pb-dynmktg.com which is an Azure domain. The email simulates an automated notification with a download button to open a COVID-related screening questionnaire. However, this link redirects to a phishing page. 

Payload: Within the body is a hidden link appearing as a “Download now” button with a brief message “The file will be available for the next ten days. Click the button to download your file now.” But clicking on the download button leads to a site hosted on a Microsoft Azure submission form page “mfpuasfawus2.azurewebsites.net.” Although expired at the time of writing, we believe the landing page contained a form for the recipient to enter their email and password so that the attacker could gain access to the recipient’s account. 

Result: If recipients are not vigilant, they can fall prey to this tactic and give sensitive information to the attackers.

Why is this attack effective?


Urgency: The body text of this message uses COVID-19 and a time of expiration to create a sense of urgency for the recipient to take action. Since we’re still in the midst of the pandemic, and may be more likely to investigate and respond to the questionnaire.

Trusted Sender: As these emails originated from the legitimate Microsoft email address, and the body of the email contains a link to the real Azure domain, one could easily be misled into believing the email is benign. However, the redirect leads to a phishing page that the attacker controls.

Related content