Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Microsoft Warns of Office 365 Phishing Attacks

Fraudsters Using Evasive Techniques to Bypass Secure Email Gateways
Microsoft Warns of Office 365 Phishing Attacks
Phishing emails used during recent campaign to target Office 365 users (Source: MIcrosoft)

Microsoft’s Security Intelligence team is warning users of the Office 365 suite about an ongoing phishing campaign that appears to be harvesting victims' credentials.

See Also: OnDemand | A Master Class on Cybersecurity: Roger Grimes Teaches Password Best Practices

The phishing emails, which are still circulating, use several techniques to bypass and evade secure email gateways, according to Microsoft’s analysis. The fraudsters use social engineering techniques and timely subject lines as a way to lure victims into clicking the emails and inputting their credentials, which are then harvested.

"The campaign uses timely lures relevant to remote work, like password updates, conferencing info and helpdesk tickets," according to the report.

The evasion techniques, combined with heavy obfuscation of the malicious messages within the HTML code, are helping to make this phishing campaign difficult to detect.

Avoiding Detection

After examining some of the phishing emails, the Microsoft researchers noted several ways that the fraudsters are attempting to avoid security tools. For example, they are using redirector URLs that can detect connections stemming from sandbox environments, which are typically used by analysts to detect these types of attacks.

Each of the redirector sites uses a subdomain that contains a username and the organization's domain name to help increase the authentic look of the phishing email, according to the report.

"This unique subdomain is added to a set of base domains, typically compromised sites," according to Microsoft. "Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient."

The number of unique subdomains used also means that the fraudsters can send large volumes of phishing emails as part of the campaign as another way to avoid detection as well as giving the attackers a way to avoid sandboxes, according to the report.

"If the redirector detects that it’s being accessed from a sandbox environment or if the URL has expired, it redirects to legitimate sites, such that it can evade automated analysis, and only actual users reach the phishing site," Microsoft reports.

Microsoft also warns that the phishing emails use social engineering techniques based on work-from-home scenarios to get potential victims to click on a malicious link. The subject lines include "Password Update," "Exchange proteccion," "Helpdesk-#," "SharePoint," "Projects_communications.”

Microsoft doesn't describe how the Office 365 credentials are harvested in this campaign. But a sample email shows a malicious link that asks for a password reset. If clicked, this link could lead to a phishing landing page, where a user would enter credentials and then fraudsters would then harvest them.

Other security firms, such as Cofense, have noted similar techniques in attacks that target Office 365 users (see: Phishing Attack Bypassed Office 365 Multifactor Protections).

Other Office 365 Attacks

In May, Group-IB described an earlier campaign that targeted the Office 365 accounts of 150 businesses in an attempt to steal documents and other data from high-ranking executives (see: Phishing Campaigns Target Senior Executives via Office 365).

In July, Abnormal Security found fraudsters using fake Zoom alerts that helped disguise phishing emails designed to harvest Office 365 usernames and passwords (see: Zoom-Themed Phishing Campaign Targets Office 365 Credentials).


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.