Nothing says the bad guys are intent on stealing credentials like testing them while you participate in their phishing attack so they can verify the validity before letting you off the hook.
There are tons of stories where a fake log on to Office 365 is the punchline. But seldom do we see an attacker go the length to develop code that passes the compromised credentials over to Office 365 to check them out mid-attack.
According to the Threat Research Team at Armorblox, a new attack uses lots of well-known brands to aid in tricking users into giving up their Office 365 credentials. Using Amazon’s Simple Email Service to improve deliverability, the attack uses a payment remittance theme to get potential victims to click. A spoofed Office 365 logon page is offered up, but it’s one that passes any provided credentials to Azure Active Directory (AAD) behind the scenes, checks them and then either puts them back to the logon page (in the case of a failed logon) or over to a generic Zoom website page if validated.
The value of an Office 365 credential is pretty high for attackers; it can be used to commit brand and individual impersonation by taking over the compromised account, CEO fraud, business email compromise, infecting or scamming partner or customer organizations, and more.