Over the past year, as technology continues to evolve alongside advances in AI and the launch of new cloud features by major vendors, threat actors have been relentlessly seeking more effective social-engineering techniques. Their objective remains the same: to exploit human behavior to steal usernames, passwords, payment information, and other sensitive personal data.
A notable trend we are now observing is a shift away from the traditional phishing infrastructure that relied on suspicious domains or obviously fraudulent websites. Instead, threat actors have begun leveraging legitimate features provided by trusted platforms, particularly within Microsoft’s cloud functionalities. By abusing built-in capabilities in services like Microsoft Dynamics 365, threat actors can create fully functional login pages that appear legitimate, inherit Microsoft’s domain reputation, and seamlessly bypass many email security and URL filtering controls.
This new class of attacks blends legitimacy with deception, making it significantly harder for both users and security products to distinguish between real and malicious authentication pages. It highlights an important reality: the threat landscape is no longer defined only by malicious infrastructure, but by the creative misuse of legitimate enterprise tools.
Diagram of the Attack
Understanding Microsoft Dynamics 365
Microsoft Dynamics 365 enables organizations to quickly publish customer-facing websites, authentication pages, service forms, and self-service portals directly from their Microsoft cloud environment. Because the platform is legitimate, any page created within it automatically inherits the trust, branding, and domain reputation associated with Microsoft services.
This built-in flexibility is exactly what makes the platform attractive to threat actors. With access to a compromised cloud account or by abusing permissive portal configurations, threat actors can create or modify portal pages to resemble official Microsoft or corporate login screens. These pages are served under URLs that appear legitimate, often using Microsoft-owned domains, and therefore raise little suspicion among users. More importantly, security tools that rely on URL reputation or domain categorization are far less likely to flag such pages as malicious, since the hosting environment is fully legitimate.
Campaign Execution
During a recent incident response we conducted for one of our clients, we discovered that the threat actor did not rely solely on Microsoft Dynamics 365 functionality for his phishing infrastructure; the actor leveraged a legitimate domain, turning the operation into a supply chain attack.
Before the threat actor ever reached our client, they had already compromised another legitimate organization and gained access to one of its mailbox accounts. Using that legitimate, trusted email address, the threat actor initiated communication with our client, making the message appear authentic, familiar, and safe. Because the email originated from a legitimate organization and passed through a legitimate mailbox, it raised no immediate suspicion and easily evaded most email security products.
To increase the likelihood that the victim would click the link, the threat actor crafted an email expressing interest in the company’s services and requesting a quote for potential collaboration. The message appeared entirely legitimate and aligned with common business communication.
Once the victim clicked the link and saw that the domain was a legitimate Microsoft and not flagged or blocked by their email security product, they trusted it and proceeded. The link redirected them to what appeared to be a standard Microsoft 365 login page. Believing the page was genuine, the victim entered their Microsoft 365 credentials, which were captured and transmitted to the threat actor.
Impact of the Phishing Campaign
In social engineering, the primary goal of a threat actor is to steal sensitive information from the target, such as credentials, credit card numbers, and bank account details.
When a threat actor obtains sensitive information, such as Microsoft 365 credentials, they can gain unauthorized access to the information and files it includes.
Mitigations
- Make sure that every user in the Microsoft 365, MFA functionality is enforced.
- Enable the Safe Links/Safe Attachments functionalities in your Email security product.
- Run an ongoing awareness program focused on phishing and BEC for executives, finance, IT, etc. Including simulations.
- Check every link/attachment you get from unknown and even known senders in email messages.
- Make sure that your Email security product has a Sandbox engine to analyze suspicious URLs and attachments.