Recently there have been many phishing attacks against Office 365 accounts (Microsoft 365 in general).This interesting post describes the attack.
To prevent this type of attack it is highly recommended to activate two-step verification, also called double-factor authentication or double-authentication. In this article we will explain how to activate this protection in Office 365.
Phishing is an impersonation, the attack consists of tricking the user into giving personal information (number of credit cards, password, etc.) by sending fraudulent emails or directing him to a fake website, that seems authentic.
In the attack on Office 365 accounts that have been reported lately, the emails have a format that looks suspicious, so it is quite easy to detect, even if they were not detected as proper SPAM:
But the page they redirect to looks a lot like Microsoft’s:
Actually, the url itself looks legitimate: or .
Hence it is quite easy for a user to fall into the trap.
Help, we have been attacked!
If you have suffered a phishing attack, you first have to stop the attack and then analyze the impact.
- The first thing you have to do is change the passwords of all users of your Office 365 tenant. From this moment the attackers will no longer be able to enter your platform with the stolen identity.
- Once the passwords have been updated, you must activate the verification in two steps as explained below. This is to prevent future attacks.
- Then, you have to analyze what has been the impact of the attack, from the Microsoft 365 Security & Compliance center:
- identify corrupted accounts, analyzing Office 365 connection logs from Azure Active Directory administration.
- identify the types of access that these accounts have made, to detect a possible information theft in OneDrive or SharePoint Online.
- identify the files uploaded by the compromised user to detect possible infected files that may trigger another type of attack in the future (viruses, ransomware, etc.)
- keep a record of emails sent by the compromised account to identify malicious emails sent with these accounts and notify recipients of those emails.
- identify the original phishing email that triggered the attack, searching for suspicious senders.
How to prevent this type of attack
1. Human aspect
As always it is very important to make the end users aware of the risk they take every time they open a suspicious email. Specifically, they should:
- Know how to identify the sender’s original email, often hidden in fraudulent emails.
- Check if it is the first time you receive an email from this person.
- Verify that the email content has a format and style that corresponds to the company that is supposed to send it.
- Check if the email has several spelling mistakes or is written in a strange way.
2. Double-factor authentication
If a user does not follow the recommendations described above, it is easy for him to fall into the trap. So for the attack to have no effect, you must activate the two steps authentication.
Double authentication is a second verification that occurs after the user enters their password. In Office 365 it is done through one of the following verifications:
- Sending a text message to a mobile (SMS)
- Call to a phone
- Notification sent to the Microsoft Authenticator app (available for Android and Apple)
With this additional verification, even if a password was stolen, an attacker will not be able to access Office 365 without having the user’s mobile.
How to enforce two-step verification in Office 365
This service is available at no additional cost for all Office 365 plans.
To activate it, from the Microsoft 365 administration portal, access the Azure Active Directory portal:
From Azure Active Directory, select Users and Multi-Factor Authentication:
On the next screen select all users and enable double factor authentication:
NOTE: The process to follow is different if Office 365 users are synchronized with Active Directory.
For more information, do not hesitate to contact us: