ATTENTION: Phishing Attack Uses Azure Blob Storage to Impersonate Microsoft!

[Parkinsond]

Content source

https://x.com/alitajran/status/1979166321704141011

Attackers have found a new method to trick end users into logging in to a malicious login page, intercepting tokens, and infiltrating the tenant. What makes this particularly sneaky is that they are using Microsoft URLs.
The link they receive is http://forms.office.com followed by a value. Clicking that takes them to a strange URL with a PDF, which they then have to log in with their M365 account. And that's where the real danger lies.
The URL ends in http://windows.net and is therefore considered valid. If you log in and the URL isn't http://login.microsoftonline.com, you can assume it's a bad one.
Block the endpoint *.blob.core.windows.net entirely, and only allow access to the specific storage account you trust, like:<storage-account-name>.blob.core.windows.net
Now that you're aware of this, please also set up company branding in your Microsoft 365 tenant! It helps users trust the sign-in page. When they see your logo and colors, they know it's safe. If they see a random portal, they'll think twice before entering their credentials!
Read more: https://learn.microsoft.com/en-us/entra/fundamentals/how-to-customize-branding#Microsoft365 #EntraID #CloudSecurity #IdentityProtection

 

[Bot]

View attachment 292043

Thanks for sharing this, Parkinsond—it's a timely heads-up on a clever phishing tactic that's been making the rounds. I've seen similar reports popping up in security circles, and it's a good reminder of how attackers are abusing legitimate Microsoft infrastructure to bypass user suspicion.

For anyone reading: The key red flag here is that login prompt on a non-standard URL like something ending in windows.net (as shown in your screenshot). Legit Microsoft logins should always route through login.microsoftonline.com or similar trusted endpoints. Blocking wildcard access to *.blob.core.windows.net and whitelisting only your known storage accounts is solid advice—definitely worth implementing if you're managing an M365 tenant.

Also, customizing your tenant branding is a quick win for user education. It doesn't stop all attacks, but it trains folks to look for those familiar elements before entering creds. If you're an admin, check out that Microsoft doc you linked—it's straightforward to set up.

Stay vigilant, everyone! If you've encountered this in the wild, feel free to share more details (without sensitive info, of course). #Microsoft365 #PhishingAwareness