{"id":7785,"date":"2025-10-19T10:03:28","date_gmt":"2025-10-19T10:03:28","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/10\/19\/new-phishing-attack-leverages-azure-blob-storage-to-impersonate-microsoft\/"},"modified":"2025-10-19T10:03:28","modified_gmt":"2025-10-19T10:03:28","slug":"new-phishing-attack-leverages-azure-blob-storage-to-impersonate-microsoft","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/10\/19\/new-phishing-attack-leverages-azure-blob-storage-to-impersonate-microsoft\/","title":{"rendered":"New Phishing Attack Leverages Azure Blob Storage to Impersonate Microsoft"},"content":{"rendered":"<p>    New Phishing Attack Leverages Azure Blob Storage to Impersonate Microsoft<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Threat actors are leveraging Microsoft Azure Blob Storage to craft highly convincing <a href=\"https:\/\/cybersecuritynews.com\/what-is-phishing-essential-advice-for-safeguarding-your-personal-data-online\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing sites<\/a> that mimic legitimate Office 365 login portals, putting Microsoft 365 users at severe risk of credential theft.<\/p>\n<p>This method exploits trusted Microsoft infrastructure, making the attacks harder to spot as the fraudulent pages appear secured by official SSL certificates issued by Microsoft itself.<\/p>\n<p>ALI TAJRAN recently highlighted a surge in these campaigns, with alerts circulating widely on October 17, 2025, urging immediate vigilance among enterprises and individuals.\u200b<\/p>\n<h2 class=\"wp-block-heading\" id=\"how-the-attack-unfolds-step-by-step\"><strong>How the Attack Leverages Azure Blob<\/strong><\/h2>\n<p>The phishing scheme typically begins with deceptive emails that include links disguised as routine <a href=\"https:\/\/cybersecuritynews.com\/hackers-leverage-google-forms-surveys\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Forms surveys<\/a> or document shares, often starting with URLs like forms.office[.]com followed by a unique identifier.<\/p>\n<p>Victims who click these links are redirected to what seems like a harmless PDF download prompt, but this quickly escalates to a demand for Microsoft 365 credentials on a fake login page.<\/p>\n<p>The malicious URL terminates in windows.net, specifically utilizing subdomains under blob.core.windows.net, which hosts the phishing form as a simple HTML file stored in Azure\u2019s blob storage service.\u200b<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">ATTENTION: Phishing Attack Uses Azure Blob Storage to Impersonate Microsoft!<\/p>\n<p>Attackers have found a new method to trick end users into logging in to a malicious login page, intercepting tokens, and infiltrating the tenant.<\/p>\n<p>What makes this particularly sneaky is that they are\u2026 <a href=\"https:\/\/t.co\/WFDUVYuxQD\">pic.twitter.com\/WFDUVYuxQD<\/a><\/p>\n<p>\u2014 ALI TAJRAN (@alitajran) <a href=\"https:\/\/twitter.com\/alitajran\/status\/1979166321704141011?ref_src=twsrc%5Etfw\">October 17, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>This storage solution, designed for unstructured data like images or documents, inadvertently provides phishers with a veil of legitimacy since browsers and <a href=\"https:\/\/cybersecuritynews.com\/best-endpoint-protection-solutions-for-msps-mssps\/\" target=\"_blank\" rel=\"noreferrer noopener\">endpoint protection tools<\/a> inherently trust Azure endpoints.<\/p>\n<p>Once users enter their email and password, the credentials are captured and sent to attacker-controlled servers, potentially granting access to sensitive email, files, and tenant resources.<\/p>\n<p>Attackers may then escalate privileges to intercept authentication tokens or infiltrate the entire organization. Historical reports from 2018 noted similar lures using themed PDF attachments pretending to be legal documents, a tactic that persists today with more sophisticated social engineering.\u200b<\/p>\n<p>To counter this threat, security experts recommend blocking all traffic to *.blob.core.windows.net endpoints in firewalls or web proxies, while whitelisting only specific, trusted storage accounts like &lt;your-storage-account&gt;.blob.core.windows.net.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiYUpVE2lxm1HwUQ0kU8bij52ZDl42ug2nFFYDC5H7oaW35Z1AR1gPW1x7i_0tAPcYSW75ByCzky2DFn5PNBQtvOSmex1rbF5fjRLJ8E_qHE5bHJZuksHhgIlbzPBDGysmJUuJyXbXa64CYxxWp19mYVMS00W6EHSTZ8Ydv4rI7V-3Bi-AxX5e_6oaK05vc\/s16000\/New%2520Phishing%2520Attack%2520Leverages%2520Azure%2520Blob%2520Storage.webp?ssl=1\" alt=\"\"><\/figure>\n<\/div>\n<p>This granular approach prevents broad access without disrupting legitimate Azure operations. Additionally, enabling <a href=\"https:\/\/cybersecuritynews.com\/tag\/multi-factor-authentication-mfa\/\" target=\"_blank\" rel=\"noreferrer noopener\">multi-factor authentication (MFA)<\/a> and monitoring for anomalous logins via Microsoft Entra ID can detect breaches early.\u200b<\/p>\n<p>A proactive step involves customizing company branding in your Microsoft 365 tenant, displaying your organization\u2019s logo, colors, and name on official sign-in pages to help users distinguish genuine portals from impostors.<\/p>\n<p>Without branding, a generic Microsoft login might blend seamlessly with phishing mimics, eroding user trust at critical moments resources from Microsoft guide administrators on implementing these customizations swiftly.\u200b<\/p>\n<p>This <a href=\"https:\/\/cybersecuritynews.com\/phishing-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing<\/a> variant underscores the dual-edged nature of cloud services: while Azure Blob Storage offers scalability and security for legitimate use, it becomes a weapon when abused by threat actors.<\/p>\n<p>Organizations should prioritize user education on scrutinizing URLs, legitimate Office 365 logins always direct to login.microsoftonline.com, not blob storage paths.\u200b<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/phishing-attack-leverages-azure-blob-storage\/\">New Phishing Attack Leverages Azure Blob Storage to Impersonate Microsoft<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/phishing-attack-leverages-azure-blob-storage\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New Phishing Attack Leverages Azure Blob Storage to Impersonate Microsoft Threat actors are leveraging Microsoft Azure Blob Storage to craft highly convincing phishing sites that mimic legitimate Office 365 login portals, putting Microsoft 365 users at severe risk of credential theft. This method exploits trusted Microsoft infrastructure, making the attacks harder to spot as the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[701,129,63,124],"tags":[130],"class_list":["post-7785","post","type-post","status-publish","format-standard","hentry","category-cyber-attack","category-cyber-security","category-cyber-security-news","category-phishing","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7785"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=7785"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7785\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=7785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=7785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=7785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}