Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Home Cyber Attacks Native Phishing Emerges as a New Microsoft 365 Threat Vector
Cyber Attacks Data Leak Microsoft 365 Native Phishing User Privacy Varonis

Native Phishing Emerges as a New Microsoft 365 Threat Vector

By sharing malicious files through OneNote and OneDrive, attackers exploit built-in trust to trick employees into handing over sensitive credentials.
Wednesday, August 20, 2025

 

A recent cybersecurity threat report highlights a tactic known as "native phishing," where attackers exploit the trusted, built-in features of Microsoft 365 to launch attacks from within an organization. This method moves beyond traditional phishing emails with malicious attachments, instead leveraging the trust users have in their own company's systems. 

The core of native phishing is its subtlety and legitimacy. After compromising a single user's Microsoft 365 account, an attacker can use integrated apps like OneNote and OneDrive to share malicious content. Since these notifications come from a legitimate internal account and the links point to the organization’s own OneDrive, they bypass both security systems and the suspicions of trained users.

Modus operandi

Attackers have found Microsoft OneNote to be a particularly effective tool. While OneNote doesn't support macros, it is not subject to Microsoft's "Protected View," which typically warns users about potentially unsafe files. Its flexible formatting allows attackers to create deceptive layouts and embed malicious links . 

In a typical scenario, an attacker who has gained access to a user's credentials will create a OneNote file containing a malicious link within the user's personal OneDrive. They then use the built-in sharing feature to send a legitimate-looking Microsoft notification to hundreds of colleagues. The email, appearing to be from a trusted source, contains a secure link to the file hosted on the company's OneDrive, making it highly convincing. 

Victims who click the link are directed to a fake login page, often a near-perfect replica of their company's actual authentication portal. These phishing sites are frequently built using free, AI-powered, no-code website builders like Flazio, ClickFunnels, and JotForm, which allow attackers to quickly create and host convincing fake pages with minimal effort. This technique has shown an unusually high success rate compared to other phishing campaigns. 

Mitigation strategies 

To combat native phishing, organizations are advised to take several proactive steps: 

  • Enforce multi-factor authentication (MFA) and conditional access to reduce the risk of account takeovers. 
  • Conduct regular phishing simulations to build employee awareness.
  • Establish clear channels for employees to report suspicious activity easily. 
  • Review and tighten Microsoft 365 sharing settings to limit unnecessary exposure.
  • Set up alerts for unusual file-sharing behavior and monitor traffic to known no-code website builders.
Tags: Cyber Attacks Data Leak Microsoft 365 Native Phishing User Privacy Varonis
Share it:

Cyber Attacks

Data Leak

Microsoft 365

Native Phishing

User Privacy

Varonis