Blox Tales #4: Vendor Email Fraud + Office 365 Credential Phishing

Abhishek Iyer
Written by Abhishek Iyer
Threat Research /
Blox Tales #4: Vendor Email Fraud + Office 365 Credential Phishing

Each Blox Tale will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on an email that was sent from a compromised vendor account. This email included a PDF that seemed to contain invoice information. Accessing the PDF required the reader to input Office 365 credentials, leading them through pages on OneNote as well as multiple pages designed to resemble legitimate Microsoft webpages.

The Attack

A few days ago, we saw a unique credential phishing email attempt to land in a customer inbox. This email was sent from a compromised vendor account and claimed to contain important invoice information. The email included a link to view the invoice, taking readers to a legitimate OneDrive page that was used to host the final payload (a credential phishing page). The entire flow was painstakingly made to resemble real Microsoft webpages.

This attack was a variant of PerSwaysion, a recent spate of credential phishing attacks that utilize compromised accounts and leverage Microsoft file-sharing services to lull victims into a false sense of security.

An anonymized transcript of the initial email is given below:


Fig: Redacted copy of the initial email that came from a compromised third-party vendor account.

Why The Attack Got Through

This email got past existing Office 365 security controls because it didn’t follow the tenets of more traditional phishing attacks.

1. Sent from a legitimate (but compromised) email account

This email was sent from a legitimate vendor email account that the target organization had interacted with before. Hence, the sender domain would have been included in any approved vendor lists maintained by the target organization, allowing the email to bypass any mass blocklists and filters.

2. Leverages Microsoft OneNote

The attackers leveraged Microsoft OneNote to host the final phishing link in a bid to convince victims to hand over their credentials. In our busy lives where every second we spend looking at an email is a second we could be doing other things instead, seemingly small things like a legitimate OneNote page are vital in helping attacks pass the eye test. A redacted screenshot of the OneNote page is given below.


Fig: The OneNote page used to host the credential phishing link. This link pretended to be an invoice and requested readers to log into Office 365.

The attacker created a new domain for the link in this email attack, so it got past any EOP filters that were created to block known bad links. The link in the email led to multiple webpages that were painstakingly made to resemble legitimate Microsoft pages. Screenshots of both lookalike pages are given below:


Fig: The OneNote link first leads to this webpage designed to resemble a SharePoint page with legitimate branding and page UI.


Fig: Clicking the ‘View the document’ link on the previous screenshot leads users to another page designed to look like the Office 365 login portal.

Both these pages would pass most eye tests during busy mornings, with people happily assuming them to be legitimate Microsoft pages. A closer look at the domains reveal that these are lookalike pages. The master domain of both pages is ‘’, which is a close enough visual match to the real URL but clearly a fake site.

4. Socially engineered

Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The email was sent from a compromised vendor account and included the vendor’s real name in the email title, aiming to induce a sense of familiarity within the recipient. The email starts off with a big green box announcing that a file was ready for the recipient’s review, acting as an effective call to action and increasing the likelihood that targets would click on the link asking them to review the PDF.

How Armorblox Detected The Attack

Armorblox was able to detect the email attack based on the following insights:

1. Language, intent, and tone

Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks).

2. Low communication history

Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the organization-specific model noted that the attacker’s domain had communicated with the target company as a whole, the mailbox-specific model was able to detect low communication history between the sender and the receiver. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.

Armorblox was able to follow the credential phishing link to its source and identify the unusual sequence of pages as well as the lookalike/disreputable domains.

Based on the insights above, along with many other detection signals, Armorblox flagged the email as a social engineering threat. The email was automatically quarantined based on predetermined remediation actions for the social engineering detection category.

Stay tuned for more Blox Tales! If you’re interested to learn about Armorblox, you can schedule a demo with one of our email security experts.

For more educational resources about email security, subscribe to email updates from Armorblox.

Subscribe to Email Updates

Read This Next