Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft 365 login theft campaign abusing office.com redirects

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A recent phishing campaign is abusing office.com and ADFS redirects to steal Microsoft 365 logins, increasing the chance that trusted Microsoft infrastructure will bypass URL-based detection and MFA. The operation began with a malicious sponsored Google result for "Office 265" and sent targets through outlook.office.com to a phishing page. It also used conditional loading so only selected victims saw the credential-harvesting site.

Related Happenings

Tycoon 2FA internal-domain phishing campaign abusing email routing

Campaign
First: 07.01.2026 11:42 Last: 07.01.2026 11:42 Sources 1

About this happening: An **active Tycoon 2FA phishing campaign** is abusing **misconfigured email routing** and weak **domain spoofing protections** to make messages look like they came from trusted in...

Open Happening

Microsoft 365 OAuth device code phishing campaign

Campaign
First: 19.12.2025 19:19 Last: 19.12.2025 19:19 Sources 1

About this happening: The **OAuth device code phishing** wave against **Microsoft 365 accounts** is expanding, raising the risk of account takeover across multiple sectors. Attackers are abusing Micros...

Open Happening

RaccoonO365 Microsoft 365 credential-harvesting phishing campaign

Campaign
First: 19.12.2025 12:26 Last: 19.12.2025 12:26 Sources 1

About this happening: The **RaccoonO365** phishing operation drove repeated **Microsoft 365** account compromises and created follow-on risk of **business email compromise** across **corporate, financi...

Latest development: 19.12.2025 21:05

Nigeria Police Force National Cybercrime Centre (NPF–NCCC) arrested three suspects linked to Raccoon0365, including Okitipi Samuel, also known as RaccoonO365 and Moses Felix, whom police believe developed the phishing platform used for Microsoft 365 credential theft. The operation used Microsoft intelligence shared via the FBI, and forensic analysis linked recovered laptops, mobile devices, and other digital equipment to the fraudulent scheme.

Open Happening

ToddyCat Outlook email and Microsoft 365 token theft activity

Malware Activity
First: 25.11.2025 13:36 Last: 25.11.2025 13:36 Sources 1

About this happening: ToddyCat expanded its **email-theft** tradecraft by using **TCSectorCopy** to copy **Outlook OST** files and harvest correspondence from target companies, increasing the risk that...

Open Happening

Sneaky2FA Microsoft 365 BitB phishing campaign

Campaign
First: 19.11.2025 23:59 Last: 19.11.2025 23:59 Sources 1

About this happening: The **Sneaky2FA** phishing operation has added **browser-in-the-browser (BitB)** lures on top of its existing **AitM** flow, making credential and session theft more convincing ag...

Open Happening

Timeline

  1. 20.08.2025 18:33 1 articles · 9mo ago

    Push Security discloses Microsoft 365 phishing chain using office.com and ADFS redirects

    Initial Disclosure

    Push Security disclosed a recent campaign that targeted several customers and redirected employees from a legitimate outlook.office.com link into a phishing page stealing Microsoft 365 logins. The chain began with a malicious sponsored Google result for "Office 265", passed through Microsoft office.com to bluegraintours[.]com, and used a custom Microsoft tenant with Active Directory Federation Services (ADFS) plus conditional loading to make the credential-harvesting page appear trusted and to bypass URL-based detection and multi-factor authentication.

    Show sources
    Open in new tab