Microsoft says that attackers have already adapted their phishing campaigns to use the newly updated design for Azure AD and Microsoft 365 sign-in pages.
“Office 365 ATP data shows that attackers have started to spoof the new Azure AD sign-in page in multiple phishing campaigns,” Microsoft tweeted earlier. “We have so far seen several dozens of phishing sites used in these campaigns.”
The new Azure AD sign-in experience design for Microsoft customers was updated roughly three months ago, at the end of February, and has started rolling out during the first week of April.
While the change was designed to lower the bandwidth requirements needed to load Azure AD sign-in pages, it inadvertently also made it easier for potential victims to figure out a lot easier when they were targeted by an attacker who forgot to update his phishing tools.

Phishing attacks adapt to changes to prevent effectiveness drop
Microsoft’s discovery shows just how quick threat actors are at adapting to changes made to resources and experiences they try to impersonate in their attacks.
This makes their attacks a lot more convincing and allows them to trick their targets into opening booby-trapped attachments and hand over their sensitive information on phishing landing pages that clone the current designs of services they’re mimicking.
One of these recent phishing campaigns is delivering emails with the ‘Business Document Received’ subject line and PDF attachments that attempt to pass as OneDrive documents that require the potential victims to sign in for viewing.
If the recipients click the ‘Access Document’ button prominently displayed on the malicious PDF camouflaged as an OneDrive shared file, they will be redirected to a phishing landing page that perfectly mimics the new Azure AD and Microsoft 365 sign-in page design.

Phishing campaigns targeting Microsoft customers
Azure AD and Microsoft 365 are not the only Microsoft products malicious actors have used as lures in recent attacks.
Another highly convincing series of phishing attacks were observed while using cloned imagery from automated Microsoft Teams notifications to harvest Office 365 credentials from tens of thousands of potential victims.
Microsoft’s Sway service was also impersonated in a highly targeted spear-phishing campaign dubbed PerSwaysion to deceive recipients into sending their Office 365 credentials to multiple threat actors.
To date, the operators behind the PerSwaysion managed to collect more than 20 Office 365 accounts belonging to executives companies in the U.S., the U.K., Germany, the Netherlands, Canada, Hong Kong, and Singapore.