A new global spear-phishing attack is underway targeting 200 million Microsoft Office 365 users around the world, particularly within the financial services, healthcare, insurance, manufacturing, utilities, and telecom sectors, according to a new report from Ironscales.

The researchers said they spotted a well-organized phishing campaign two weeks ago leveraging an exact domain spoofing technique, which occurs when an email is sent from a fraudulent domain that is an exact match to the spoofed brand’s domain. This particular attack involves a realistic looking email from sender “Microsoft Outlook”, attempting to compel potential victims to make use of a Microsoft Office 365 feature, which allows for “reclaiming emails that have been accidentally marked as phishing or spam messages.”

Using “fear-inducing” language the phishing email attempts to convince users to click on malicious link provided in the message. This link purportedly would redirect users to a security portal in which they can review and take action on “quarantined messages” captured by the Exchange Online Protection (EOP) filtering stack, but in reality it will lead victims to a fake login page designed to capture users’ legitimate Office 365 login credentials.

“Once the link is clicked, users are asked to input their legitimate O365 login credentials on a fake login page, mistakenly believing that they are providing their private information to Microsoft online. Unbeknown to them, attackers are harvesting these credentials (usernames and passwords), most often to illegally obtain proprietary or confidential information, enact financial fraud or to sell online,” the report said.

The researchers noted that Microsoft servers are not currently enforcing the DMARC protocol, which means these exact domain spoofing messages are not being rejected by gateway controls, such as Office 365 EOP and ATP.

“Any other email service that respects and enforces DMARC would have blocked such emails. It remains unknown as to why Microsoft is allowing a spoof of their very own domain against their own email infrastructure,” the researchers said.