Microsoft Lures Populate Half of Credential-Swiping Phishing Emails

Microsoft lure phishing email attack

As more organizations migrate to Office 365, cybercriminals are using Outlook, Teams and other Microsoft-themed phishing lures to swipe user credentials.

Almost half of phishing attacks in 2020 aimed to swipe credentials using Microsoft-related lures – from the Office 365 enterprise service lineup to its Teams collaboration platform.

According to a Tuesday report by Cofense, which analyzed millions of emails related to various attacks, 57 percent were phishing emails aiming to steal victim usernames and passwords. The remainder of malicious emails were utilized in business email compromise (BEC) attacks or for malware delivery.

Of those phishing emails, 45 percent were Microsoft-themed, said researchers: Cybercriminals are both relying on Microsoft-themed lures for their emails, as well as using ensuing phishing landing pages that either spoof or leverage legitimate Microsoft domains or services.

“With the number of organizations migrating to Office 365, targeting these credentials allows the threat actor to gain access to the organization as a legitimate user to go undetected,” researchers with Cofense told Threatpost. They added that they “highly recommend organizations enable [multi-factor authentication] along with their [Office 365] migration/ implementation.”

Microsoft Users Under Attack by Phishing Emails

Malicious email lures can vary; it could be a straightforward “‘Joe wants to share a document with you’ SharePoint alert you would normally see from Microsoft,” researchers explained — or it could be a simple attached file that includes a link to a website asking users to login with Microsoft credentials.

One phishing campaign in October pretended to be an automated message from Microsoft Teams telling victims they had a missed Teams chat. In reality, the attack aimed to steal Office 365 recipients’ login credentials.

Microsoft Phishing attacks

Examples of Microsoft phishing lures. Credit: Cofense

Another December attack used embedded URLs that redirected to fake, never-seen-before Microsoft Office 365 phishing pages. The attack started with emails impersonating businesses like eFax, which is an internet fax service that allows users to receive faxes via email or online.

“We also see [cybercriminals] giving the user options to choose from the most commonly used email platforms,” said researchers. “The phishing emails often contain URLs hosted on legitimate domains that maintain a broad consumer base to avoid being blocked by content rules and filters.”

According to researchers, beyond the 45 percent of credential-stealing phishing attacks targeting Microsoft, the next-largest category was “generic”– meaning there wasn’t a specific brand associated with the email or the landing page asking the recipient to log in.

However, beyond Microsoft’s trusted collaboration services such as SharePoint, OneDrive or Office 365, researchers said they have seen other cloud provider products being leveraged in attacks. This includes Google (such as Google Forms), Adobe and file-sharing services.

“Other popular brands we observed asking for credentials were other various cloud hosting services such as Adobe, Dropbox, Box, DocuSign or WeTransfer,” researchers told Threatpost. “Threat actors have been able to scour the internet looking for file-sharing websites that are deemed ‘business related’ in order to make it past the secure email gateway controls, as well as the web proxy filters.”

Finance-Related Malicious Email Attacks

Researchers found that almost 17 percent of the emails identified as malicious were related to a financial transaction.

Microsoft Phishing Emails

Various industries hit by different email attacks. Credit: Cofense

Many of these phishing emails may relate to invoices and transactions needed for work. One recent example of such an attack, for instance, involved invoice-themed emails sent to at least 20,000 mailboxes that purport to share information about an electronic funds transfer (EFT) payment. The emails found earlier this month carried a fairly vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contain a link to download an “invoice” from the cloud.

These types of attacks work because “finance teams are under extreme pressure to process invoices and payments in a timely fashion to keep the business running, especially during month- or quarter-end when financial reporting is critical,” said researchers. “So, if a user hasn’t heard anything back about the email they reported, they will most likely interact with that message.”

The Rise of the GuLoader Malware

Researchers found that in 2020, the GuLoader dropper rose as one of the top malware delivery mechanisms in email attacks.

The malware, which first appeared in the first quarter and surged during the second quarter of 2020, is used to deliver remote administration tools, keyloggers, credential stealers and other malware phenotypes.

Microsoft Phishing Emails

Quick stats. Click to enlarge. Credit: Cofense

For instance, one June email campaign was discovered targeting mid-level employees across Austria, Germany and Switzerland with malicious Excel attachments. Once opened, and with macros enabled, the Microsoft Excel attachments would then download and execute GuLoader, which in turn would download and execute the Hakbit ransomware.

The malware’s advanced techniques make it a lucrative tool for cybercriminals to utilize to sidestep network- and email-security detections. For instance, the malware contains false code instructions designed to thwart analysis tools and a wide array of tricks to avoid executing in virtual or sandbox environments, said researchers. The attackers behind the malware also store their malicious payloads on cloud platforms like Google Drive or Microsoft OneDrive – which because they are legitimate services, are not frequently blocked.

“While GuLoader is an executable, it is normally deployed through weaponized office documents that are built to bypass security controls and download the malware directly from the victim’s computer system,” said researchers. “GuLoader’s continued evolution of sophisticated delivery and execution techniques make it increasingly useful in delivering threats.”

Is your small- to medium-sized business an easy mark for attackers? 

Threatpost WEBINAR:  Save your spot for 15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.

Suggested articles