Within the marketing campaign noticed by Varonis’ forensics specialists, the attacker used PowerShell to ship emails that have been designed to resemble voicemail notifications which included a PDF attachment with a QR code that redirected customers to a website designed to reap M365 credentials.
Varonis’ researchers identified that the marketing campaign works as a result of no logins or credentials are required, the sensible host accepts emails from any exterior supply, the “from” tackle could be spoofed to any be inner consumer, and the one requirement is that the recipient is inner to the consumer group.
Additional, as a result of it’s routed by way of Microsoft infrastructure and appears to be coming from throughout the group, the e-mail bypasses conventional safety controls, together with Microsoft’s personal filtering mechanisms which deal with it as internal-to-internal, or third-party instruments that flag suspicious messages primarily based on authentication, routing patterns, or sender status.
