Answer Brief
Taiwan’s national CERT (TWCERT/CC) reports an active social-engineering campaign that combines legitimate Microsoft 365 email accounts, near-typosquat domains, and short-term SSL certificates to bypass email and web defenses. The activity includes two waves: (1) broad phishing emails themed as “Microsoft account abnormal sign-in activity” and (2) targeted spear-phishing that repeatedly sends “Microsoft one-time code” lures to create urgency before delivering an “abnormal sign-in” message. A notable tactic described by TWCERT is URL-pattern-based gating: victims who match attacker-defined URL rules see a customized phishing page that harvests credentials, while non-matching visitors are redirected to a legitimate login page—reducing detection and increasing credibility.
Executive Summary: Taiwan’s national CERT (TWCERT/CC) reports an active social-engineering campaign that combines legitimate Microsoft 365 email accounts, near-typosquat domains, and short-term SSL certificates to bypass email and web defenses. The activity includes two waves: (1) broad phishing emails themed as “Microsoft account abnormal sign-in activity” and (2) targeted spear-phishing that repeatedly sends “Microsoft one-time code” lures to create urgency before delivering an “abnormal sign-in” message. A notable tactic described by TWCERT is URL-pattern-based gating: victims who match attacker-defined URL rules see a customized phishing page that harvests credentials, while non-matching visitors are redirected to a legitimate login page—reducing detection and increasing credibility.
Why It Matters
This TWCERT/CC alert is a high-signal reminder that identity phishing is increasingly blending “legitimate-looking” infrastructure with selective delivery to defeat controls that rely on reputation, static URL indicators, or one-time scans.
Three elements described by TWCERT/CC are operationally important for global security teams:
1) Abuse of real cloud services for delivery: By renting Microsoft 365 services and sending from legitimate accounts, attackers can inherit baseline trust associated with well-known cloud email ecosystems. This can raise the bar for email filtering that emphasizes sender infrastructure reputation.
2) Lookalike domains + short-lived SSL certificates: The advisory highlights registration of domains resembling official ones and obtaining short-term SSL certificates. Together, these tactics can make phishing sites appear more trustworthy to users and may complicate blocklists and takedown timelines because indicators churn quickly.
3) URL-pattern-based victim gating: TWCERT/CC describes a mechanism where the attacker checks whether the incoming URL matches a defined pattern; matching visitors are served a customized phishing page to steal usernames and passwords, while others are redirected to a legitimate Microsoft login page. This “conditional content” approach can reduce exposure to automated scanners and incident responders, and can also preserve plausibility when non-targets investigate.
Why this Taiwan signal matters beyond Taiwan: TWCERT/CC’s write-up reflects a broader trend in cloud identity attacks—phishing operations are shifting from obviously malicious infrastructure to “blended” techniques that combine real SaaS tenancy, fast-changing web hosting artifacts (domains/certs), and selective content delivery. For multinational enterprises, especially those standardized on Microsoft 365, these tactics can generalize across geographies and languages with minimal attacker retooling.
TWCERT/CC’s advisory notes potential outcomes including unauthorized account access and sensitive data exposure if victims submit credentials through the phishing pages. The advisory also emphasizes user vigilance around messages that appear to come from official sources and that create time pressure (e.g., repeated OTP-themed messages followed by an urgent sign-in warning).
Event Type: security
Importance: high
Affected Companies
- Microsoft
Affected Sectors
- Cloud
- Cybersecurity
- Enterprise IT
- Identity
Key Numbers
- Published (TWCERT/CC): 2025-10-29
- Reported page views (at time captured): 16696
- Attack waves described: 2
Timeline
- TWCERT/CC publishes advisory describing a phishing campaign that blends Microsoft 365 tenancy abuse, lookalike domains, and short-term SSL certificates.
- Wave 1: phishing at scale using “Microsoft account abnormal sign-in activity” emails from legitimate Microsoft 365 accounts; URL-pattern gating shows phishing page only to selected targets.
- Wave 2: spear-phishing sends repeated “Microsoft one-time code” messages to a specific target to create urgency, then follows with “abnormal sign-in activity” lure to drive credential entry.