{"id":37091,"date":"2020-09-11T15:45:00","date_gmt":"2020-09-11T15:45:00","guid":{"rendered":"https:\/\/www.darkreading.com\/threat-intelligence\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/d\/d-id\/1338892"},"modified":"2020-09-11T15:45:00","modified_gmt":"2020-09-11T15:45:00","slug":"spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/","title":{"rendered":"Spear-Phishers Leverage Office 365 Ecosystem to Validate Stolen Creds in Real Time"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<header><\/header>\n<p><span class=\"strong black\">New attack technique uses Office 365 APIs to cross-check credentials against Azure Active Directory as victim types them in.<\/span><\/p>\n<p class>Serving as yet another proof point of the creativity with which attackers are targeting Office 365 users with new phishing schemes, Armorblox researchers&nbsp;yesterday detailed a new attack technique they found that validates stolen credentials in real time as the victim enters them into the login lure.<\/p>\n<p>The attack in question is part of a very targeted spear-phishing campaign that was discovered operating against an executive at a top 50 American company. It works like this: Attackers send a typical credential phishing email using Amazon Simple Email Service to pass DKIM and SPF checks. Attached to the message is a bogus payment remittance report that looks like a text file with a title along the lines of &#8220;ACH Company Name.&#8221;&nbsp;<\/p>\n<p>Opening that file automatically opens up a look-alike Office 365 sign-on page with the user&#8217;s email address already pre-entered, with a message that says, &#8220;Because you&#8217;re accessing sensitive info, you need to verify your password.&#8221;<\/p>\n<p>All of these steps are fairly standard, but what happens next is what differentiates this attack from others. When a victim enters a password into the fake login screen, that triggers a call to Office 365 APIs to actively validate that username\/password combination against that organization&#8217;s Azure Active Directory infrastructure.&nbsp;&nbsp;<\/p>\n<p>&#8220;This immediate feedback allows the attacker to respond intelligently during the attack,&#8221; wrote Team Armorblox in a&nbsp;<a href=\"https:\/\/www.armorblox.com\/blog\/blox-tales-credential-phishing-attack-performs-real-time-active-directory-authentication\" target=\"_blank\" rel=\"noopener noreferrer\">blog post<\/a>&nbsp;about the attack. &#8220;The attacker is also immediately aware of a live, compromised credential and allows him to potentially ingratiate himself into the compromised account before any remediation.&#8221;<\/p>\n<p>If the login verification is successful, the user is redirected to zoom.com, likely as a diversionary tactic to make the process look like a benign glitch. If the authentication fails, the user is directed to login.microsoftonline.com, likely to hide the phishing attempt as a failed sign-on at the Office 365 portal.<\/p>\n<p>In examining the attack, Armorblox found limited activity at the website hosting the attack. In addition, along with the timing of the lure email being sent \u2014 it was a Friday evening \u2014 the attack was carefully leveraged against that executive and organization.<\/p>\n<p>&#8220;Our estimates show there have been 120-odd visits to this website globally since the beginning of June. The sparse number shows that the phishing scams are likely targeted and not spray and pray,&#8221; they wrote.&nbsp;<\/p>\n<p>This is one example of many new and creative ways to exploit the interconnected nature of the Office 365 ecosystem through various phishing and business email compromise (BEC) schemes.&nbsp;<\/p>\n<p>For example, in late July <a href=\"https:\/\/abnormalsecurity.com\/blog\/abnormal-attack-stories-sharepoint-attacks\/\" target=\"_blank\" rel=\"noopener noreferrer\">Abnormal Security researchers&nbsp;reported<\/a>&nbsp;an attack concocted to look like automated Sharepoint messages to snag employee credentials. And in early August&nbsp;<a href=\"https:\/\/www.darkreading.com\/bec-campaigns-target-financial-execs-via-office-365\/d\/d-id\/1338611\" target=\"_blank\" rel=\"noopener noreferrer\">researchers with Trend Micro reported<\/a>&nbsp;a wave of BEC campaigns that have been targeting the Office 365 accounts of business executives since March. Meantime, a&nbsp;<a href=\"https:\/\/ironscales.com\/blog\/fake-login-pages-spoof-prominent-brands-phishing-attacks\/\" target=\"_blank\" rel=\"noopener noreferrer\">study&nbsp;released by Ironscales<\/a> several weeks ago found some 9,500 different fake Microsoft login pages lurking online, all connected to different campaigns targeting Office 365.<\/p>\n<p>At Black Hat USA this year, researchers Josh Madeley and Doug Bienstock presented on a range of different kind of tactics, techniques, and procedures (TTP) used by attackers against Office 365. They said the ecosystem has grown increasingly interesting to attackers as more enterprises fully embrace it for a range of different applications that reach far beyond email.&nbsp;&nbsp;<\/p>\n<p>&#8220;A lot of organizations have lifted their on-premise Exchange environment into the cloud without much consideration or awareness of the new risks and attacker vectors this exposes them to,&#8221; according to Bienstock, in a separate interview. He explained that the combination of different valuable productivity environments like Outlook, OneDrive, SharePoint, and Teams open up a huge volume of sensitive data in a consolidated cloud platform. It&#8217;s a vector ripe for attack, he pointed out.<\/p>\n<p>In a recent&nbsp;<a href=\"https:\/\/www.darkreading.com\/cloud\/office-365s-vast-attack-surface-and-all-the-ways-you-dont-know-youre-being-exploited-through-it\/d\/d-id\/1338566\" target=\"_blank\" rel=\"noopener noreferrer\">Dark Reading News Desk interview<\/a>&nbsp;during Black Hat, Madeley somewhat presaged the attack described by Armorblox by explaining that Azure Active Directory is a feature often overlooked as a threat vector for Office 365 organizations.<\/p>\n<p>&#8220;It is, for most organizations, the authentication provider for their employees,&#8221; he explained. &#8220;So if an attacker has access to that, they have access to sites that are integrated into active directory that are federated with Azure.&#8221;&nbsp;<\/p>\n<p> <span class=\"italic\">Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to&nbsp;Dark Reading.&nbsp; <a href=\"https:\/\/www.darkreading.com\/author-bio.asp?author_id=962\">View Full Bio<\/a><\/span><\/p>\n<p><strong>Recommended Reading:<\/strong><\/p>\n<p><span class=\"smaller strong red allcaps\">More Insights<\/span><\/p>\n<p>Read More <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/d\/d-id\/1338892?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New attack technique uses Office 365 APIs to cross-check credentials against Azure Active Directory as victim types them in. Read More <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/d\/d-id\/1338892?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-37091","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Spear-Phishers Leverage Office 365 Ecosystem to Validate Stolen Creds in Real Time 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Spear-Phishers Leverage Office 365 Ecosystem to Validate Stolen Creds in Real Time 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2020-09-11T15:45:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Spear-Phishers Leverage Office 365 Ecosystem to Validate Stolen Creds in Real Time\",\"datePublished\":\"2020-09-11T15:45:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/\"},\"wordCount\":785,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/twimgs.com\\\/nojitter\\\/darkreading\\\/dr-logo.jpg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/\",\"name\":\"Spear-Phishers Leverage Office 365 Ecosystem to Validate Stolen Creds in Real Time 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/twimgs.com\\\/nojitter\\\/darkreading\\\/dr-logo.jpg\",\"datePublished\":\"2020-09-11T15:45:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/#primaryimage\",\"url\":\"https:\\\/\\\/twimgs.com\\\/nojitter\\\/darkreading\\\/dr-logo.jpg\",\"contentUrl\":\"https:\\\/\\\/twimgs.com\\\/nojitter\\\/darkreading\\\/dr-logo.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Spear-Phishers Leverage Office 365 Ecosystem to Validate Stolen Creds in Real Time\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Spear-Phishers Leverage Office 365 Ecosystem to Validate Stolen Creds in Real Time 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/","og_locale":"en_US","og_type":"article","og_title":"Spear-Phishers Leverage Office 365 Ecosystem to Validate Stolen Creds in Real Time 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2020-09-11T15:45:00+00:00","og_image":[{"url":"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Spear-Phishers Leverage Office 365 Ecosystem to Validate Stolen Creds in Real Time","datePublished":"2020-09-11T15:45:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/"},"wordCount":785,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/#primaryimage"},"thumbnailUrl":"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/","url":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/","name":"Spear-Phishers Leverage Office 365 Ecosystem to Validate Stolen Creds in Real Time 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/#primaryimage"},"thumbnailUrl":"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg","datePublished":"2020-09-11T15:45:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/#primaryimage","url":"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg","contentUrl":"https:\/\/twimgs.com\/nojitter\/darkreading\/dr-logo.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/spear-phishers-leverage-office-365-ecosystem-to-validate-stolen-creds-in-real-time\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Spear-Phishers Leverage Office 365 Ecosystem to Validate Stolen Creds in Real Time"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/37091","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=37091"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/37091\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=37091"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=37091"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=37091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}