2026-04-06 – The attack that uses Microsoft’s own URLs and no sender domain tricks business access into phishing
Microsoft recently revealed a new threat vector in its Entra B2B guest invitation flow. An attacker sends an email from a seemingly legitimate Microsoft address, but the link directs recipients to Microsoft-owned URLs—without any custom domain or spoofing. This bypasses many common filtering rules and can trick users into granting access to sensitive corporate resources.
What We Know
According to /u/IndySecMan on Reddit (https://www.reddit.com/r/netsec/comments/1sdlisb/the_attack_with_no_attacker_domain_microsoft/) the attacker’s email is sent from a Microsoft domain, but the target clicks through Microsoft-owned URLs. No sender domain or filter evasion techniques are required.
Business Impact
- Unauthorized Access: A legitimate B2B guest invitation can be hijacked, granting attackers access to internal systems, data, and services.
- Data Leakage: Sensitive information could be exposed if the attacker gains entry into shared resources or user accounts.
- Regulatory Compliance: Non-compliance with data protection regulations (e.g., GDPR, HIPAA) can result in fines and reputational damage.
- Operational Disruption: Employees may inadvertently grant permissions that disrupt business processes, leading to downtime or costly remedial actions.
What To Do
- Enable Multi-Factor Authentication (MFA) for all B2B guest invitations. MFA adds an extra verification step that mitigates the risk of unauthorized access.
- Implement Email Filtering Rules: Verify sender domains and enforce strict URL checks, especially for Microsoft-owned links.
- Conduct User Awareness Training: Educate employees on recognizing phishing patterns—particularly those using legitimate-looking URLs and Microsoft domains.
- Audit B2B Guest Access Logs: Regularly review logs to detect anomalous invitations or unexpected access patterns.
- Deploy Red-Team Testing: Use tools like the point-and-click red team tool mentioned by /u/IndySecMan to simulate phishing scenarios and test defenses.
The Bigger Picture
This attack highlights a growing trend of phishing leveraging trusted platform domains, which bypass traditional domain-based filters. Organizations should proactively monitor for such patterns and adapt their security controls accordingly.
How We Can Help
DefendMyBusiness partners with 400+ technology providers to help organizations secure their B2B guest processes. For a quick assessment, use our free security scan tool. Contact us at https://defendmybusiness.com/contact.
Sources
