The NJCCIC observed a phishing campaign that uses legitimate Microsoft Entra ID tenant branding to deliver Telephone-Oriented Attack Delivery (TOAD) messages within Microsoft system notifications. This campaign involves a message claiming to include Microsoft email verification codes, sent from a legitimate Microsoft sender, msonlineservicesteam[@]microsoftonline[.]com, creating a sense of trust. TOAD attacks differ from most phishing attempts by trying to persuade their target to call, rather than including links or attachments in the initial email.

The message’s signature matches the subject and is part of the TOAD lure, claiming to confirm a recent payment and providing a phone number for help. The provided number allows the threat actor to communicate directly with their target and attempt to socially engineer them into downloading and executing malicious software, sharing credentials, or granting the threat actor remote access to their computer.

Recommendations

• Facilitate user awareness training to include these types of phishing-based techniques.
• Confirm requests from senders via contact information obtained from verified and official sources.
• Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
• Ensure multi-factor authentication (MFA) is enabled for all online accounts.
• If you suspect an account has been compromised, change the account’s password immediately and add a secondary authentication method.
• Report other malicious cyber activity to the NJCCIC and the FBI’s IC3.