This may come as a shock to some of you but we here at GAYINT actually do play well with others. Case in point: We have been working with some other fedi nerds on an ongoing phishing campaign targeting M365 tenants from other M365 tenants. There are more details over on Taggart's blog.
But here are some things to hunt on while you read that post:
| Indicator | Type | Description |
|---|---|---|
| invites@microsoft[.]com | Sender address for Entra invites | |
| invited you to access applications within their organization | String | Email Subject substring to search for Guest User invitations |
| CloudSync | String | Attacker Tenant Name |
| Advanced Suite Services | String | Attacker Tenant Name |
| TenantHub | String | Attacker Tenant Name |
| Unified Workspace Team | String | Attacker Tenant Name |
| Advanced Suite Services | String | Attacker Tenant Name |
| x44xfqf.onmicrosoft[.]com | Domain | Attacker Tenant Domain |
| woodedlif.onmicrosoft[.]com | Domain | Attacker Tenant Domain |
| xeyi1ba.onmicrosoft[.]com | Domain | Attacker Tenant Domain |
| x44xfgf.onmicrosoft[.]com | Domain | Attacker Tenant Domain |
Updated: 14 November 2025