In the campaign observed by Varonis’ forensics experts, the attacker used PowerShell to send emails that were designed to resemble voicemail notifications which included a PDF attachment with a QR code that redirected users to a site designed to harvest M365 credentials.
Varonis’ researchers pointed out that the campaign works because no logins or credentials are required, the smart host accepts emails from any external source, the “from” address can be spoofed to any be internal user, and the only requirement is that the recipient is internal to the client organization.
Further, because it is routed through Microsoft infrastructure and seems to be coming from within the organization, the email bypasses traditional security controls, including Microsoft’s own filtering mechanisms which treat it as internal-to-internal, or third-party tools that flag suspicious messages based on authentication, routing patterns, or sender reputation.
