Hackers employ "homegrown phishing" tactics in conjunction with M365 and artificial intelligence resources
In the digital age, cyber threats are constantly evolving, and one such evolution is the emergence of native phishing. This tactic, employed by attackers, aims to bypass security defenses by leveraging trusted internal applications like Microsoft 365.
The method begins after a threat actor compromises a single user's Microsoft 365 credentials. Attackers then create a malicious OneNote file and save it in the compromised user's OneDrive. They use the built-in OneDrive sharing feature to send a link to this file to hundreds of other employees, bypassing traditional email scanning for malicious attachments and evading human suspicion.
OneNote, due to its lack of Protected View security feature and flexible formatting, is an effective vehicle for native phishing. The resulting email notification appears as a legitimate, automated alert from Microsoft, seemingly coming from a trusted colleague.
Attackers can easily create fraudulent but professional-looking pages designed to steal user credentials using no-code platforms like Flazio, ClickFunnels, and JotForm. These platforms are often used by attackers to bypass traditional security defenses and shift the attack from technical exploits to social engineering.
The concept of native phishing to bypass security defense systems is further enhanced by autonomous AI agents combined with generative AI and API connections. These agents can perform complex attack chains, including phishing, autonomously. No-code platforms are often used to facilitate the manipulation and control of such AI agents, increasing the sophistication of native phishing attacks.
To combat this threat, it is crucial to set alerts for unusual file sharing behavior and monitor traffic to no-code site builders. Reviewing and tightening Microsoft 365 sharing settings can limit unnecessary internal file exposure. Enforcing multi-factor authentication (MFA) and conditional access for all users can reduce the risk of account takeover.
Regular phishing simulations can help build awareness and test employee responses. Clear and accessible internal channels for reporting suspicious activity are also important for defense against these tactics.
As native phishing continues to evolve, it is essential to stay vigilant and adapt our defenses accordingly. By understanding the strategies used by attackers, we can better protect ourselves and our organisations from this modern threat.
