The majority of all phishing attacks are of the credential harvesting variety. 

Credential harvesting works by hackers trying to find a way to get a victim to divulge personal information. This can be email accounts, bank accounts, Social Security numbers or credit card information. 

Oftentimes, attackers will impersonate a trusted brand or person. That trust gives implicit permission to end-users to hand over their credentials to a spoofed login page.

In 2019, according to Avanan research, credential harvesting attacks made up 40.9% of all phishing. In 2021, that number reached 54%.

Starting in November 2021, Avanan observed a new credential harvesting attack that spoofs a message from Microsoft claiming that some emails have been blocked. In this attack brief, Avanan will analyze the company’s most recent discovery of a new credential harvesting attack.  


In this attack, hackers are utilizing social engineering and impersonation to bypass email scanners and induce the end-user to hand over credentials. 

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Social Engineering, Impersonation
  • Target: Any end-user



In this attack, hackers present a spoofed page that looks like it comes from Microsoft. The message uses spoofed logos of both Microsoft and Office 365 to fool the user.

Email Example #1

In this email, hackers present what looks like a message from Microsoft, telling the end-user that some messages have been blocked. With just a quick click, those messages can be unlocked:

This email purports to be a notification helping to unlock messages. 

When clicking on the link, it leads to this page that now has a 404 error:


In this email attack, hackers have used impersonation to fool scanners and end-users.

In particular, they have spoofed Microsoft. According to Check Point Research, Microsoft is the most spoofed brand in the world, related to 29% of all phishing attacks globally. 

Additionally, the URL spoofs SendGrid. SendGrid is an Email Delivery Service. Companies rely on these providers to deliver business emails--like sales and marketing notes-- to audiences. Since marketing and sales emails often get caught by filters, EDS solutions lend credibility to get into the inbox. 

Credibility can come in the form of a high domain history, valid SPF/DKIM checks and more. We've seen attacks take advantage of that credibility, such as in the PhishGun attack.

In this case, that credibility is lacking. 

Our analysis found a failed SPF check, missing DMARC, and an insignificant historical reputation. 

Best Practices: Guidance and Recommendations

In order to guard against these attacks, security professionals can do the following:

  • Rely on basic phishing awareness hygiene, such as looking for spelling and grammar errors. In this email, there are plenty of both
  • Ensure that links match where the email says they are going
  • Always ask the IT department before resetting any passwords

Subscribe to Our Attack Briefs for More Research