A sophisticated Phishing campaign targeting Microsoft 365 users is exploiting trusted infrastructure to bypass email security. Victims are tricked into calling fake support numbers, leading to the installation of stealer malware on their Windows machines. When email security fails, then more attacks reach the next typical line of defense, AV/EDR/XDR. Combine the social engineering with EDR/XDR weaknesses, any enterprise will wake up to a nightmare when these threat actors phish them. Unless, the enterprise deploys an additional layer of endpoint protection that does not employ any form of pattern-matching to detect malware. Instead, that layer employs controls-based protection that blocks what the malware needs to do despite it all.
This analysis examines an article from Forbes detailing a new Microsoft 365 attack that bypasses email security controls. Additional insights were drawn from a related Guardz blog post.
Attack Overview
The attack is a phishing campaign where threat actors gain control over multiple Microsoft 365 organization tenants to generate authentic-looking billing emails, leveraging the trusted infrastructure to bypass domain reputation analysis, DMARC enforcement, and anti-spoofing mechanisms. It mimics legitimate Microsoft transaction notifications, enhancing credibility and evading detection, and creates administrative accounts. The emails urge victims to call fraudulent support numbers, listed in the Guardz blog post. Victims, after calling, are tricked into downloading and running stealer malware, which aims to steal sensitive information like credentials and financial data.
Initial EDR/XDR Detection Challenges
XDR systems are designed to monitor endpoints and correlate data across environments. By entering endpoints via seemingly legit pathways, any malicious payloads entering target endpoints do so with less initial suspicion from the EDR/XDR.
| Challenge | Description |
| Legitimate Infrastructure | Emails pass through Microsoft’s servers, appearing trusted, evading domain reputation analysis. |
| Rapid Execution | Attack phases are quick, with EDR/XDR often reacting after initial compromise, as noted by EDR/XDR user posts. |
| Bypassing Authentication | Uses valid Microsoft authentication markers, making content filtering less effective. |
| Reactive Nature | Systems detect after attacks start, delaying alerts, as heard from EDR/XDR user frustrations with slow responses. |
Complicating EDR/XDR Challenges
EDR focuses on endpoint security, monitoring devices like laptops and servers for suspicious activities, while XDR extends this by integrating data from networks, clouds, and identities for a holistic view. Both are critical for modern cybersecurity, yet their effectiveness varies with attack sophistication.
| Challenge | Description |
| Evasion Techniques | Hackers must be voracious readers because there are mountains of online documents on EDR evasion techniques as well as attack kits. |
| Disable Endpoint Defenses | EDR killing tools are sold for as low as $300 via underground hacker forums, such as EDRKillShifter, AuKill, Terminator, and Killer Ultra. These terminate, blind defenses, destroy log files, etc. |
| Zero-Days | Some zero-day exploits need help to touch a vulnerable attack surface. The compromise of email security and the subsequent social engineering both increase exposure, which can deliver a zero-day payload that otherwise might not reach what it must. |
| Fileless and LoLA | A seemingly harmless file, sometimes called a “stub”, is merely the face-man to the rest of the band that plays fileless techniques and operating system utility (living off the land attacks) techniques known to evade EDR/XDR. |
| The User | Different enterprises and security tools provide users different discretion. The less provided to end-users, the less harm they can do. |
| The Analysts | Most EDR/XDR experts agree that an EDR/XDR is limited by how good the cyber analysts that use it. Some say, they’d rather have an average EDR/XDR with rock star analysts than a rock star EDR/XDR with average analysts. |
Detection-based Defenses vs Controls-based Defenses
One shouldn’t have to choose. Both add value. The essential point to be made here is that detection-based defenses strive to tell bad files or behaviors from the good ones. Controls-based defenses simply reduce the attack surface by not allowing as many different actions as practical. It’s important for any cybersecurity influencer to know why this is important.
Every malware attack consists of one or more malware techniques, each consisting of one or more malicious actions. A controls-based defense denies as many of these potentially malicious actions as is practical. Some legitimate and potentially malicious actions are indistinguishable. Hence, one ideally has both types of defenses to stop what the other misses, or stop something malicious sooner.
Both types of defenses can be susceptible to endpoint users with too much discretion. The administrator of a controls-based tool can effectively override what careless endpoints users with too much discretion might do. Obviously, these are limited to the policies implemented.
The next point influencers on cybersecurity decisions should know is that little endpoint user discretion is required to expose an EDR/XDR agent to catastrophic harm (eg, EDRKillShifter, AuKill, Terminator, Killer Ultra, etc.). A controls-based defense can literally protect the EDR/XDR agent or its dependent resources.
AppGuard is the Additional Layer of Protection Needed
AppGuard protects endpoints by restricting what can run and by restricting what the running can do. AppGuard can also restrict what the endpoint user can do. All that includes not allowing those potentially malicious actions that malware must do to be successful, which stops attacks that EDR/XDR misses entirely, detects too late, or cannot defend at all because it has been disabled/blinded.
- Launch Control:
- Prevents the launch or loading of untrustworthy files, particularly from high-risk folders, yet allows those digitally signed by trusted publishers.
- Restricts what endpoint users can install.
- Prohibits unnecessary but dangerous operating system utilities used in ‘living off the land’ attacks.
- Containment:
- Restricts the activities of high-risk applications and their descendant processes, limiting read and write operations on files, folders, registry keys/values, and the memory of other applications.
- For these malicious email campaigns, AppGuard typically contains Microsoft processes such as Outlook, Edge, other web browsers, Teams, and Office applications.
- Avoids endpoint users making cybersecurity decisions.
- Isolation:
- Protects critical system components from any computing process, even those not explicitly contained, acting as a final layer of defense.
- Enforces exclusive access to folders, files, and registry keys to select processes only, which can serve as the last line of defense against stealer malware should it somehow get past “Launch” and “Containment”.
- Avoids endpoint users making cybersecurity decisions.
Conclusion
AppGuard’s control-based approach is well-suited to defeat the described phishing attack and its upcoming variants that will take advantage of the increased exposure of endpoints from bypassing email security gateways. Simply by adding AppGuard to whatever is in an enterprise's cyber stack, AppGuard can stop what the detection defenses miss, stop them sooner, or even protect the detection layers from sophisticated attacks that blind or disable EDR/XDR tools during early stages.