A Varonis blog post by author Tom Barnea, details how attackers are using a tactic called native phishing to bypass security defenses. The article explains that this method leverages trusted internal applications like Microsoft 365 and easy-to-use no-code platforms to deceive users and steal credentials with high success rates.
How native phishing works
Native phishing delivers malicious content using an organization’s own trusted systems, making it feel legitimate to the recipient. The attack begins after a threat actor compromises a single user’s Microsoft 365 credentials. Instead of sending an easily spotted fake email, the attacker uses the compromised account to carry out the attack from within the organization’s environment.
In real-world incidents observed by Varonis Threat Labs, attackers created a malicious OneNote file and saved it in the compromised user’s OneDrive. They then used the built-in OneDrive sharing feature to send a link to this file to hundreds of other employees. The resulting email notification was a legitimate, automated alert from Microsoft, appearing to come from a trusted colleague. This method avoids traditional email scanning for malicious attachments and bypasses human suspicion.
The OneNote application is an effective vehicle for this because it is not subject to Microsoft’s Protected View security feature, its flexible formatting allows for deceptive layouts, and it can embed malicious links. This shifts the attack from technical exploits to social engineering.
Why we might lose our only window into how AI thinks
The role of no-code platforms
Once a user clicks the link in the shared OneNote file, they are redirected to a fake login page that is nearly identical to their company’s real authentication portal. The research highlights that these convincing phishing sites are often built using free, AI-powered no-code platforms.
The report identifies the platform Flazio as the tool used to create a replica login page in one incident. Varonis has also observed attackers using other no-code services like ClickFunnels and JotForm to quickly build and host customized phishing pages with minimal effort or cost. These platforms allow attackers to easily create fraudulent but professional-looking pages designed to steal user credentials.
To defend against these tactics, Varonis provides several recommendations:
- Enforce MFA and conditional access for all users to reduce the risk of account takeover.
- Run regular phishing simulations to build awareness and test employee responses.
- Ensure internal channels for reporting suspicious activity are clear and accessible.
- Review and tighten Microsoft 365 sharing settings to limit unnecessary internal file exposure.
- Set alerts for unusual file sharing behavior and monitor traffic to known no-code site builders.
