Administrators of Microsoft Office 365 are the main target of a large-scale phishing campaign. Its goal is to compromise entire domains and use them to deliver further phishing emails. The emails resemble Microsoft correspondence, with Office 365 logo, "Services admin center" as the sender name and "Action Required" or "We placed a hold on your account" subjects. The messages are also delivered using validated, and already compromised domains. All this to inspire trust, introduce urgency and avoid detection by email filtering solutions (which use the sender's domain reputation).
The phishing email asks targets to sign in to their Office 365 account to update their payment information. Victims are then sent to a fake Microsoft login page to their email or phone. For now, the attackers are using the compromised Office 365 admin accounts to spread their phishing campaign. But they can be exploited in other malicious activities, such as: retrieving user emails, taking over other email accounts on the domain, or further compromising systems within an organization.