A new phishing campaign analysed by KnowBe4’s Threat Lab has revealed how threat actors are now exploiting Microsoft’s own infrastructure to deliver phishing emails that pass standard authentication checks. This campaign has raised serious concerns across the security industry, not just for its scale, but for the tactics used to bypass detection while maintaining full trust in the communication channel.
The campaign came to light when KnowBe4 observed a massive spike in phishing emails sent from microsoft-noreply@microsoft.com. On 3 March 2025 alone, more than 7,000 phishing emails were delivered within a span of just 30 minutes. These emails originated from legitimate Microsoft systems, passed SPF, DKIM, and DMARC checks, and were sent from domains that traditional security solutions are trained to trust. This use of genuine infrastructure presents a serious challenge to conventional email security.
How Did Attackers Exploit Microsoft’s Systems?
What makes this campaign particularly effective is that there is no spoofing involved. Instead, attackers are leveraging the way Microsoft structures its communication. They first created a Microsoft 365 tenancy and during the setup phase, they specified their organisation name with a carefully crafted social engineering message. This name, entered into Microsoft’s backend, is automatically populated in Microsoft’s confirmation emails.
The attackers purchased Microsoft Defender for Office 365 (Plan 2) and used the resulting legitimate invoice as the core of the attack. The email contained correct order details, real links pointing to microsoft.com, and genuine metadata. The only malicious element was the organisation name, which read like a fraud alert. For example, “Your subscription has been successfully purchased for 689.89 USD using your checking account. If you did not authorise this transaction, please call [phone number] to request a refund.”
This content appeared within the “Account Information” section of the invoice, making it seem as though Microsoft had issued a charge without user consent. The natural reaction for many users would be to call the provided number. From there, the attacker could impersonate a Microsoft representative and request sensitive details such as banking information, email credentials, or remote access to the user’s device.
Why Was This Phishing Technique So Hard to Detect?
What makes this technique particularly dangerous is the absence of common phishing markers. The email contains no malicious links, no attachments, and no spoofed addresses. All visible elements pass security checks. The only clue lies in the language used and the presence of a phone number, which Microsoft typically does not provide in billing emails. Instead, Microsoft directs users to initiate support through its online portals. This discrepancy was a key indicator used by KnowBe4’s systems to flag the messages as suspicious.
To scale this operation, the attackers used Microsoft’s mail flow rules, which can automatically forward incoming emails to large groups. Each Microsoft 365 organisation is allowed to configure up to 300 such rules, with each capable of sending to more than 1,000 recipients. By forwarding the same legitimate confirmation email to thousands of users, the attackers maintained authenticity while achieving mass distribution.
KnowBe4’s analysis found that the attackers were targeting addresses ending with .onmicrosoft.com, which are normally used internally during Microsoft 365 setup. This allowed the threat to move silently through shared inboxes and distribution lists. Traditional email security solutions often fail to flag these messages because they rely heavily on authentication checks, which in this case, all pass.
The sophistication of this attack lies not in technical complexity, but in its intelligent use of legitimate systems. Rather than bypassing security controls, the campaign uses them to gain entry. The emails appear clean because they are clean, at least from a code and infrastructure standpoint. The only anomaly is in the message embedded within the organisation name.
This trend reflects a broader issue: attackers are no longer trying to forge trust from the outside. They are now operating within the trusted systems themselves. This makes user awareness and behavioural detection more important than ever. For example, recognising that Microsoft does not typically include phone numbers in its transactional emails is now a critical security insight.
This also highlights the need for advanced email threat detection that goes beyond surface-level analysis. AI-powered systems that understand behavioural patterns, linguistic anomalies, and context can help organisations detect these new types of threats. For example, noticing the mismatch between the “to” address and the intended recipient domain, or identifying high-risk organisation names used in otherwise clean emails.
How Can Organisations Respond Effectively?
Enterprises must now review how their email security layers operate. Relying solely on secure email gateways and domain-based filters is no longer sufficient. Human-layer risk detection, real-time behavioural analytics, and continuous user education are becoming essential components of a modern security framework. It is also vital to limit over-reliance on any one platform, especially for communications involving financial transactions or user credentials.
The KnowBe4 incident also underscores the evolving role of user awareness. Users are the final layer of defence, especially when technology fails to flag a well-disguised threat. If even one recipient had called the number in the email, their credentials or bank information could have been compromised. In many cases, such calls also help the attacker verify which email addresses are active and which devices are less protected.
Phishing attacks have grown beyond deceptive links and fake sender names. They now involve the use of real products, authentic systems, and legitimate communication patterns. This campaign shows that cybercriminals are willing to go as far as purchasing Microsoft services and using its features as delivery channels. The lines between legitimate operations and malicious behaviour are becoming increasingly blurred.
To respond effectively, organisations must move beyond traditional methods. This includes adopting layered defence models that bring together intelligent email filters, behavioural analytics, and regular phishing simulation training. Only by combining technology and user readiness can organisations stay ahead of such sophisticated campaigns.
Talk to iConnect today about our phishing protection service and take a proactive step towards securing your organisation against advanced threats.
