TL;DR: Criminals are spinning up Azure Blob Storage static sites (e.g.,
*.z*.web.core.windows.net / *.blob.core.windows.net) that host look-alike Microsoft 365 pages. These pages steal credentials and MFA codes, then pivot into your tenant. Block fast: inspect URLs beyond the “Microsoft look,” restrict unknown Azure Storage hostnames, use Safe Links/Defender detonation, enforce phishing-resistant MFA, and monitor suspicious consent/OAuth token events.
Audience: US • EU • UK • AU • IN SOC/IR teams, M365 admins, IT helpdesks, and executive risk owners.
Why this works
- Trusted cloud domain halo: Many filters “allow”
*.windows.net/*.azureedge.nettraffic by default. - Static Website + SAS: Attackers enable static hosting and share via short-lived SAS links or custom subpaths that look corporate.
- Pixel-perfect UX: Brand-accurate HTML/CSS mimics Microsoft’s login; some flows proxy live
login.microsoftonline.comand steal session tokens (AiTM). - HTML smuggling: Email carries a benign HTML file that reconstructs the payload in the browser to bypass attachment scanning.
What you’ll see in the wild
- Sender themes: “document share,” “payment remittance,” “DLP quarantine,” or “new Teams voicemail.”
- Links like:
https://<random>.z13.web.core.windows.net/<brand>/index.htmlorhttps://<name>.blob.core.windows.net/<container>/signin/. - On submit: credentials posted to attacker C2 or reverse-proxied to harvest MFA cookies (Adversary-in-the-Middle).
Immediate protections (do these now)
- Turn on phishing-resistant MFA for admins and high-risk users (FIDO2 security keys / Windows Hello for Business). Avoid SMS/voice.
- Microsoft Defender for Office Safe Links: rewrite & detonate links, block click-time to unknown
*.web.core.windows.net/*.blob.core.windows.netwhen not owned by you. - Conditional Access: require compliant devices for risky sign-ins; block legacy protocols; enforce token binding / Continuous Access Evaluation.
- Disable “user consent” to apps and enable admin consent workflow; verify Publisher Verification for OAuth apps.
- Educate fast: teach users to expand the address bar fully—Microsoft login lives under
login.microsoftonline.comormicrosoft.comdomains only.
Blocklist / Allowlist strategy for Azure Storage
- Allowlist only your storage hostnames (e.g.,
myorg.blob.core.windows.net,myorg.z13.web.core.windows.net); default-deny all others at proxy/SWG. - Inspect referrers & destinations for
web.core.windows.netandblob.core.windows.netaccessed directly from email clicks. - Use TLS inspection on egress where permitted to extract full host & path for policy decisions.
Detection ideas (SOC playbook)
KQL – unusual Azure Storage hosts clicked from email
EmailEvents
| where Timestamp > ago(14d)
| where ThreatTypes has_any ("phish","credentialPhish","url")
| join kind=leftouter UrlClickEvents on NetworkMessageId
| where Url has_any ("web.core.windows.net","blob.core.windows.net")
| summarize clicks=count(), users=dcount(AccountUpn) by UrlDomain, bin(Timestamp, 1d)
| order by clicks desc
KQL – consent grant anomalies
AuditLogs | where OperationName == "Consent to application" | where ResultDescription !~ "Admin consented" | summarize grants=count(), users=dcount(InitiatedBy.user.userPrincipalName) by TargetResources[0].displayName, bin(TimeGenerated, 1d)Hunt: bursts of sign-ins from fresh IPs / impossible travel right after a click to suspicious Azure Storage hosts; Sign-in logs with non-compliant device + unfamiliar token key IDs.
Helpdesk response (when a user reports a page)
- Collect the full URL and browser HAR if possible; disable the user account temporarily and revoke refresh tokens.
- Reset password and enforce step-up MFA re-registration; inspect mailbox rules and OAuth grants.
- Search tenant for other clicks to the same hostname; purge the original email via Threat Explorer.
User coaching (60-second rule)
- Always check the domain in the address bar. If it’s not
login.microsoftonline.com, do not type your password. - Never approve MFA prompts you did not initiate. Prefer number matching or FIDO2 keys.
- Report suspicious pages using your company’s “Report Phish” add-in or forward to the SOC address.
Explore more on ThreatWire:
Subscribe to the CyberDudeBivash LinkedIn Newsletter →
Harden Microsoft 365 quickly (sponsored)
Kaspersky Endpoint Security
Stop token theft tools & rogue scripts; EDR coverage for Microsoft 365 endpoints.
Edureka
Short courses: Microsoft 365 Defender, KQL threat hunting, identity protection.
TurboVPN
Segregate risky browsing and restrict unknown cloud storage domains.
Disclosure: We may earn a commission if you buy via these links. This supports independent research.
Why trust CyberDudeBivash? We publish practical, vendor-agnostic guidance for defenders across US/EU/UK/AU/IN with playbooks that SOCs can run today—no fluff, just actions.
Microsoft 365 phishing, Azure Blob Storage static website, web.core.windows.net, blob.core.windows.net, adversary-in-the-middle, MFA token theft, Safe Links policy, Conditional Access, OAuth consent phishing, app governance, M365 Defender, KQL hunting, enterprise email security, US EU UK AU India.
#Microsoft365 #Phishing #Azure #BlobStorage #AiTM #IdentitySecurity #OAuth #Defender #SafeLinks #ConditionalAccess #SOC #ThreatHunting #CyberSecurity #US #EU #UK #Australia #India
Educational analysis. Implement changes in a test cohort before broad rollout; validate impact with staged phishing simulations and egress policy checks.