Microsoft's Own Message Recall Agent Delivered a Credential Harvest
ID: a7065793-db4f-5ecd-8939-198431d956c9
STIX ID: report--a7065793-db4f-5ecd-8939-198431d956c9
Feed Name: IRONSCALES
**Executive summary:** A targeted credential-harvesting phishing message abused Microsoft's Transport Message Recall Routing Agent to appear as an internal 'Message Recall Report' (AuthAs=Internal, AuthMechanism=05, Direction=Originating) and instructed recipients to enter email/password via a legitimate outlook.office.com recall link; detection flagged it as high risk (Themis 72%) and four mailboxes were quarantined, and the report provides IoCs and MITRE mappings (T1534, T1078, T1566.002).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
