Phishing Campaign Abuses Microsoft Azure Blob Storage for Credential Theft
October 30th, 2025
High
_edited_p.png)
Our Cyber Threat Intelligence Unit is tracking an ongoing phishing campaign that exploits Microsoft Azure Blob Storage to host realistic credential harvesting pages impersonating legitimate Microsoft login portals (e.g., Office 365 sign-in). Attackers place simple HTML phishing pages and benign decoys in publicly readable blob containers under the *.blob.core.windows.net domain. This infrastructure is often considered trustworthy by browsers and security tools because it is Microsoft-owned and served over valid TLS. By delivering phishing content directly from these domains, adversaries can effectively bypass URL and certificate-based detections, increasing the likelihood of tenant credential and token theft.
Technical Details
Attack Type: Credential harvesting / tenant compromise.
Severity: High
Delivery Method: Phishing emails or malicious links redirect victims to malicious HTML pages stored in public Azure Blob Storage (*blob.core.windows.net). Typical lures use Forms, documentsharing, or corporate branding themes.
Attack Chain:
The user receives a phishing email or link chain (e.g., forms.office.com → redirect → blob.core.windows.net).
The blob-hosted page impersonates a legitimate Microsoft login page, capturing credentials or intercepting tokens.
The user is then redirected to a decoy document or form to reduce suspicion.
Because the page is hosted on Microsoft Infrastructure with a valid TLS certificate, standard allowlists and certificate checks may fail to detect the threat.
Microsoft’s October 2025 Security Blog confirms the surge in Blob-hosted phishing activity and outlines new defender guidance targeting threats at the storage layer.
Impact
Compromised credentials or session tokens allow immediate access to Microsoft 365 services such as Outlook, Teams, OneDrive, or Entra ID administration.
Successful attacks facilitate privilege escalation and lateral movement within affected tenants.
Use of Microsoft infrastructure (valid TLS, blob.core.windows.net hostnames) reduces the effectiveness of URL/certificate filtering and results in higher phishing rates.
Decoy content delays detection, which can lead to lateral movement, persistence, or account takeover before response teams are alerted.
Detection Method
Email and URL Analysis: Flag emails containing links that resolve to *.blob.core.windows.net or similar Microsoft storage endpoints not owned by your organization.
Redirect Chain Correlation: Identify paths originating from trusted domains (e.g., forms.office.com) leading to Blob endpoints.
Content Inspection: Detonate URLs in a secure sandbox to identify static HTML forms or credential POST endpoints.
Identity Telemetry: Monitor Entra ID / Azure AD logs for anomalous sign-in activity following Blob link clicks — e.g., unfamiliar IPs, impossible travel, or failed MFA followed by success.
Network Monitoring: Detect outbound connections or form submissions to known phishing collectors; apply DLP to flag credential exfiltration attempts.
Storage Configuration Audits: Regularly review Azure Storage accounts for publicly exposed containers or anonymous access changes.
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Restrict Access:
Tightly restrict or proxy-inspect *.blob.core.windows.net traffic.
Only allow approved storage accounts (e.g., <your-storage-account>.blob.core.windows.net) to avoid disrupting legitimate workloads.
Identity Protection:
Enforce MFA and Conditional Access for all user and administrative sign-ins.
Block or challenge logins from unfamiliar devices, IPs, or geolocations.
Log Monitoring:
Continuously correlate Blob URL clicks with identity telemetry.
Revoke active sessions or refresh tokens associated with suspicious activity.
User Awareness: Train employees to recognize legitimate Microsoft login domains (login.microsoftonline.com, microsoft.com) and to verify tenant-specific branding on sign-in pages.
Tenant Hardening: Apply Microsoft’s published storage-layer security controls and configure custom branding in Microsoft 365 to help users visually distinguish authentic pages.
Conclusion
Adversaries are increasingly leveraging trusted cloud infrastructure to disguise phishing operations. The abuse of Azure Blob Storage highlights a growing trend: attackers using legitimate Microsoft services to bypass traditional URL filtering and SSL inspection. We urge organizations to treat unsolicited or unexpected blob.core.windows.net URLs with high suspicion, enforce MFA and Conditional Access, and correlate web click and identity telemetry to detect early signs of compromise. Following Microsoft’s storage-layer guidance and implementing restrictive Blob access policies can significantly reduce exposure.