Phishers Spoof Power BI to Harvests Microsoft Credentials

Microsoft Power BI is being impersonated in a credential-harvesting campaign that uses realistic-looking notification emails and fake sign-in pages to collect Microsoft account credentials. The campaign leverages stolen credentials to create believable notifications and directs victims to non-Microsoft URLs that capture logins before showing an account verification error. #PowerBI #Cofense

Keypoints

Threat actors send emails spoofing Microsoft Power BI notifications (theme: “Weekly Sales Report”) to induce clicks.
Some phishing emails are crafted or sent using stolen Microsoft credentials to appear as legitimate notifications from a real MS instance.
Clicking the link leads to a fake Microsoft sign-in page hosted on non-Microsoft domains (URL mismatch and missing standard imagery are indicators).
Users who submit credentials see a final “account verification” error page, intended to conceal that credentials were harvested.
Cofense observed specific network IOCs tied to the campaign, including suspicious domains and an IP address used for hosting the phishing pages.
User reporting and security-awareness conditioning (e.g., using Cofense Reporter) helped detect this phishing instance before wider impact.

MITRE Techniques

[T1566.001] Spearphishing Link – Phishing emails impersonated Power BI to trick recipients into clicking links and entering credentials (‘has observed a new phishing campaign that harvests Microsoft credentials by impersonating Power BI emails’).
[T1204.002] User Execution: Malicious Link – The attack relies on the user clicking the embedded link in the email to reach the credential-harvesting page (‘Once the user has clicked the link in the email, they are presented with a page…’).
[T1036] Masquerading – The actor mimicked legitimate Microsoft/Power BI notifications to make the message appear authentic (‘the email resembles a legitimate Microsoft notification’).
[T1078] Valid Accounts – The adversary used stolen Microsoft credentials to create convincing notifications from legitimate instances (‘leveraging stolen credentials to create a legitimate looking notification from a legitimate MS instance’).

Indicators of Compromise

[URL] Phishing landing pages and redirectors – hXXps://web-wk01[.]web[.]app, hXXps://l-formula[.]com/wp-reporting.php, and 1 other URL
[Domain] Third-party ad/redirect domain seen in click chain – hXXps://ad[.]atdmt[.]com/s/go
[IP] Hosting address for phishing page – 202.254.234.76

Attack flow (technical procedure): The campaign begins with a spoofed Power BI notification email (commonly themed as a “Weekly Sales Report”) that either mimics Microsoft formatting or is sent from a compromised/legitimate Microsoft account. The email contains a link that, when clicked, directs the user to a non-Microsoft URL hosting a fake Microsoft sign-in page; notable red flags include URLs that do not match Microsoft domains and missing standard Microsoft imagery. When the victim submits their credentials, the page captures the input and then displays an account verification error to obscure the theft and prevent immediate suspicion. Network indicators tied to this flow include redirects through ad/redirect domains and landing pages on web-wk01.web.app and l-formula[.]com, with associated hosting IP 202.254.234.76.

Defensive notes: Validate sender addresses and hover-check links before clicking; verify that sign-in pages use official Microsoft domains and expected branding; enable multi-factor authentication to reduce impact of stolen credentials; and encourage users to report suspected phishing via a reporting tool so security teams can triage IOCs and take down malicious infrastructure.