Living Off the Cloud: Threat Actors Exploiting .onmicrosoft.com

CyberDefender 4 mins0

What is .onmicrosoft.com?

.onmicrosoft.com is the default domain automatically assigned when someone creates a tenant in Microsoft’s cloud ecosystem, including Microsoft 365 and Azure. Every organization gets one, even before adding a custom domain.

Attackers abuse this default behavior to operate from legitimate Microsoft infrastructure, which makes their activity harder to detect.

Core Abuse Techniques

1. Creating Malicious Tenants

Attackers register new Microsoft tenants (often using free trials). Each tenant automatically receives an address like:

fakecompany.onmicrosoft.com

Because these domains are owned and operated by Microsoft, messages sent from them often appear more trustworthy to email systems and users.

2. Trust Bypass in Email Security

Emails sent from .onmicrosoft.com domains:

  • Are properly authenticated
  • Originate from Microsoft servers
  • Often pass SPF, DKIM, and DMARC checks

This allows malicious emails to bypass spam and phishing filters that would normally block look-alike or newly registered domains.

3. TOAD (Telephone-Oriented Attack Delivery)

Instead of including malware links or attachments, attackers:

  • Send legitimate-looking Microsoft invitations or notifications
  • Embed messages urging the victim to call a phone number
  • Use the phone call to conduct social engineering, credential theft, or remote-access scams

Because no malicious link is present, many defenses fail to trigger.

4. Microsoft Teams Phishing

Using Microsoft Teams, attackers:

  • Initiate chats or calls as external users
  • Impersonate IT support or administrators
  • Ask victims to approve access, reset passwords, or install tools

Default collaboration settings in many organizations allow this behavior.

5. Brand Impersonation

Attackers customize tenant display names and invitation text to look like:

  • Microsoft Security
  • Helpdesk
  • Cloud Admin Team

Even though the underlying domain is .onmicrosoft.com, users often trust the branding and wording without checking the sender details.

Why This Works So Well

  • Legitimate infrastructure: The domain and mail servers are real Microsoft assets.
  • Low cost: Tenant creation is easy and inexpensive.
  • Built-in delivery: Microsoft systems send the emails on the attacker’s behalf.
  • Human trust: Users are conditioned to trust Microsoft-branded communications.

Common Attack Outcomes

  • Stolen Microsoft credentials
  • MFA fatigue or approval attacks
  • Remote access installation
  • Financial fraud or invoice redirection
  • Lateral movement inside cloud environments

Defensive Strategies (High-Level)

  • Treat all .onmicrosoft.com senders as external and untrusted
  • Restrict external Microsoft Teams chats and calls
  • Alert on first-time .onmicrosoft.com senders
  • Train users to distrust unsolicited “Microsoft” messages
  • Monitor cloud audit logs for new guest invitations and collaboration activity

Key Takeaway

.onmicrosoft.com abuse is dangerous because it uses trusted cloud infrastructure as the attack platform. The emails, chats, and invitations are technically legitimate—only the intent is malicious.

This makes these attacks harder to block with traditional tools and more reliant on behavioral detection and user awareness.

CyberDefender