Listen to this Post
Introduction
A new phishing technique exploits browser full-screen modes to steal Microsoft 365 credentials, spreading malicious emails via compromised accounts. Attackers manipulate shared OneDrive links, displaying fake login pages that capture credentials, then propagate phishing emails to victims’ contacts.
Learning Objectives
- Understand how Browser-in-the-Middle (BITM) phishing works
- Detect and prevent full-screen phishing attacks
- Implement multi-factor authentication (MFA) and email security protocols (SPF, DKIM, DMARC)
1. How the Attack Works
Attack Flow:
- Attacker shares a malicious OneDrive link with a victim.
- Victim clicks the link, seeing a legitimate-looking Microsoft login page.
- Browser enters full-screen mode, hiding the real URL.
- Victim enters credentials, which are stolen and used to send phishing emails from their account.
Detection Command (Windows/Linux):
Check for suspicious logins in Microsoft 365 audit logs:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) -Operations UserLoggedIn -ResultSize 1000 | Where-Object { $<em>.UserId -ne $</em>.ClientIP }
Steps:
- Run in PowerShell (Admin) to detect logins from unusual IPs.
- Investigate any mismatches between UserID and ClientIP.
2. Mitigating Full-Screen Phishing
Enable MFA (Microsoft 365):
Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @{State="Enabled"}
Steps:
1. Enforce MFA to prevent credential misuse.
2. Use conditional access policies to restrict logins.
Block Suspicious URLs via PowerShell:
New-TenantAllowBlockListItems -ListType Url -Block -Entries "malicious-domain.com" -NoExpiration
Steps:
- Blocks known phishing domains in Microsoft Defender.
3. Email Security: SPF, DKIM, DMARC
Verify DNS Records (Linux):
dig TXT example.com
Steps:
1. Check SPF/DKIM/DMARC records for your domain.
2. Ensure DMARC policy (p=quarantine/reject) is active.
Configure DMARC (PowerShell):
New-DkimSigningConfig -DomainName example.com -Enabled $true -SelectorSelector1
Steps:
- Prevents email spoofing by validating sender domains.
4. Detecting Phishing Links in OneDrive
Scan SharePoint/OneDrive Files (PowerShell):
Get-SPOMalwareFile -SiteUrl https://yourdomain.sharepoint.com -Limit 1000
Steps:
- Identifies malicious files in shared links.
5. Browser Hardening (Chrome/Edge)
Disable Full-Screen Mode via Group Policy:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] "FullscreenAllowed"=dword:00000000
Steps:
1. Apply via Group Policy Editor (gpedit.msc).
- Prevents phishing pages from hiding the URL bar.
What Undercode Says
Key Takeaways:
- Full-screen phishing bypasses traditional warnings by mimicking legitimate login pages.
- MFA + Email Security (SPF/DKIM/DMARC) are critical to stopping credential theft.
- User training is essential—attackers exploit trust in familiar contacts.
Analysis:
This attack highlights social engineering risks in cloud platforms. While MFA and email security help, organizations must monitor shared links and disable unnecessary browser features to reduce exposure.
Prediction
Expect AI-driven phishing to refine these attacks, using deepfake emails and automated credential harvesting. Future defenses will rely on behavioral AI detection and zero-trust access controls.
Action Step:
- Audit Microsoft 365 logs for unusual logins.
- Train employees to verify shared links before clicking.
- Deploy advanced threat protection (ATP) for real-time phishing detection.
For the full technical breakdown, visit: ISB+ Blog
IT/Security Reporter URL:
Reported By: Patrick Jung – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
