This article explores a potent social engineering technique that leverages Microsoft Self-Service Password Reset (SSPR) and push-based MFA to gain initial access to Microsoft 365 tenants. By combining technical reconnaissance with a help desk pretext, attackers can bypass internal security controls and identity confirmation tooling. The ruse involves calling a user, coaching them to approve unsolicited MFA prompts as a "security verification," and then resetting their password through the official Microsoft SSPR interface.
The attack is particularly effective because it places the victim in a position of perceived control, making them less likely to report the incident. Defensive strategies include disabling SSPR where possible and training users to never approve unsolicited MFA prompts. A case study included in the article highlights a campaign where 100% of calls resulted in successful initial access and subsequent data exfiltration from Outlook, SharePoint, and Teams.
Top comments (0)