article featured image


Office 365 users and admins should be on the lookout for a phishing email that has spoofed sender addresses as this is part of a new phishing attack.

As explained in our glossary spoofing is an attempt of an unauthorized person to gain access to a specific information system by impersonating an authorized user.

When it comes to email spoofing you might think that if the received email came from a trusted entity you can rely on it to be safe but, unfortunately, any links existing in the email may end up infecting you with malware.

Microsoft’s Security Intelligence team issued an alert after noticing the fact that an active campaign is targeting Office 365 organizations.

The M.O. used relies on convincing emails and a few other techniques that are used to bypass phishing detection, that include an Office 365 phishing page, a Google cloud web app hosting, and also a compromised SharePoint site that pushes victims to insert in their credentials.

An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters.

The original sender addresses contain variations of the word “referral” and use various top-level domains, including the domain com[.]com, popularly used by phishing campaigns for spoofing and typo-squatting.


It’s concerning to see that phishing remains a tricky issue that businesses are still facing, therefore the existence of phishing awareness pieces of training is highly recommended both by CISA and Microsoft.

Phishing is an important component of BEC attacks, as it helps the attacker to hack into a corporate e-mail account and impersonate the owner of the account with ease.

BEC attacks cost Americans over $4.2 billion last year, according to the latest figures released by the FBI, in this way being more expensive than ransomware attacks.

Tactics Used by the Phishing Group

This specific group is using Microsoft SharePoint in its display name in order to tempt victims to click a link.

The luring email poses as a “file share” request to access some so-called “Staff Reports”, “Bonuses”, “Pricebooks”, and other content that is hosted in a supposed Excel spreadsheet.

Microsoft logos make everything look convincing by being shown across the email.

Phishing Attack


When looking at the main phishing URL the researchers noticed that it relies on a Google storage resource that sends the victim to the Google App Engine domain AppSpot.

The emails contain two URLs that have malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page.


A second URL is embedded in the notifications settings and sends the victim to a compromised SharePoint site. It’s interesting to note that both URLs require sign-in to get to the final page, therefore allowing the attack to bypass sandboxes, and making this campaign to be considered “sneakier than usual” according to Microsoft.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.