Shiny new Azure login attracts shiny new phishing attacks

Admins working with Microsoft Azure beware: phishers are updating their assets to reflect changes on the company’s cloud-based login screen.

Microsoft announced the innocuous change to its Azure AD login screen on 26 February, rolling it out in the first week of April. The previous screen featured a login box against a full-frame photograph in the background. In the new version, Microsoft replaced the photograph with plain colours, reducing its size by 99%. That’ll save network bandwidth and reduce page loading times, said executives at the time. Even though users may cache static page assets locally, they’ll still reload them eventually, and every little helps.

Online ne’er-do-wells work quickly, though, and it didn’t take long for phishing scammers to catch on. The company said in a tweet that it had seen multiple sites using the new background in a bid to lure Azure AD users into giving up their account info:

Azure AD is the cloud-based version of the on-premises Active Directory system that holds user authentication and access privilege data. The cloud version is the single sign-on gateway to a range of online applications, including Microsoft’s own cloud services, along with third party apps. As such, it’s the holy grail for phishing scammers who could gain access to lots of enterprise accounts in the cloud if they mount a convincing attack.

In one case, a scammer sent an email informing people that a fake OneDrive document was waiting for them. Clicking the link took them to the new sign-in page, Microsoft’s security intelligence team said.

Microsoft’s cloud service isn’t just a popular trophy for phishers. They sometimes use it to host phishing material because Microsoft-owned domains are typically deemed trustworthy. One person explained the problem in a tweeted reply, and it looks like Microsoft was listening:

User education is one way to prevent phishing attacks, but a layered defence strategy reduces the likelihood of an employee falling victim to an attack. One extra measure you can take is to customize the branding on your tenant-specific Azure AD login screen, although a determined and targeted attacker could simply copy your design. Another protective mechanism is the use of multi-factor authentication (MFA) so that users can’t get in with a password alone.


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.