Microsoft Office 365 Attacks Sparked from Google Firebase

Microsoft phishing Firebase

A savvy phishing campaign manages to evade native Microsoft security defenses, looking to steal O365 credentials.

A phishing campaign bent on stealing Microsoft login credentials is using Google Firebase to bypass email security measures in Microsoft Office 365, researchers said.

Researchers at Armorblox uncovered invoice-themed emails sent to at least 20,000 mailboxes that purport to share information about an electronic funds transfer (EFT) payment. The emails carry a fairly vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contain a link to download an “invoice” from the cloud.

Clicking that link begins a series of redirects that eventually takes targets to a page with Microsoft Office branding that’s hosted on Google Firebase. That page is of course a phishing page, bent on harvesting Microsoft log-in information, secondary email addresses and phone numbers.

The attackers could use the information to take over accounts and steal information, but they could wreak other havoc as well.

“Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances and family members,” according to Armorblox.

Microsoft O365 Attack Flow

The link in the email claims to download a file called “Payment Notification – PDF.” It takes users to a landing page, which researchers said has a supposed “download” button on the top right. Hovering over the link shows that the file is hosted on Google Firebase, which is a development environment for building custom web and mobile apps – for, say, internal enterprise use.

“The downloaded ‘invoice’ might have PDF in its file name, but it’s actually an HTML file,” explained Armorblox researcher Rajat Upadhyaya, in a blog on Thursday. “Opening an HTML file loads an iframe with Office 365 branding. The page displays a thumbnail along with a link to view the invoice.”

Clicking the thumbnail or “View File” link leads to the final phishing page, asking victims to log in with their Microsoft credentials, and asks them to provide alternate email addresses or phone numbers – an effort to collect data that could be used to get around two-factor authentication (2FA) or account recovery mechanisms.

After the details are loaded, the login portal reloads with an error message, asking the user to enter correct details.

“This might point to some backend validation mechanism in place that checks the veracity of entered details,” Upadhyaya said. “Alternately, attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.”

Bypassing Native Email Security

The campaign is perhaps most notable for the bevy of tactics employed to avoid email security defenses.

“This email attack bypassed native Microsoft email security controls,” the researcher noted. “Microsoft assigned a Spam Confidence Level (SCL) of ‘1’ to this email, which meant that Microsoft did not determine the email as suspicious and delivered it to end-user mailboxes.”

For one thing, the redirect flow is complex, which helps mask the malicious nature of the messages, according to Upadhyaya, who noted that this kind of obfuscation is a common tactic to thwart security defenses that check for fake login pages.

“Clicking the email link goes through a redirect and lands on a page with the parent domain ‘mystuff[.]bublup[.]com,'” he said. “The redirect has the parent domain ‘nam02[.]safelinks[.]protection[.]outlook[.]com’, showing that the link was rewritten by native Microsoft security controls even though it was a malicious link.”

Interestingly, by hosting the phishing page HTML on Google Firebase, an inherently trusted domain, the emails were able to nip past built-in Microsoft security filters, including Exchange Online Protection (EOP) and Microsoft Defender for Office 365.

“Reputed URLs like that of Firebase will fool people (and email security technologies) into thinking that clicking the link will retrieve the invoice whose thumbnail is displayed,” the researcher said.

Firebase has been leveraged in previous attacks; for instance, last year a series of phishing campaigns using Google Firebase storage URLs surfaced, showing that cybercriminals continue to leverage the reputation of Google’s cloud infrastructure to dupe victims and skate by secure email gateways.

And finally, the emails also passed authentication and anti-spoofing measures using a mass-email system used for newsletters and other legitimate communications.

“The email was sent from a personal Gmail account via SendGrid,” Upadhyaya said. “This resulted in the email successfully passing authentication checks such as SPF, DKIM and DMARC.”

DMARC (Domain-based Message Authentication, Reporting & Conformance) is considered the industry standard for email authentication to prevent attackers from sending mails with counterfeit addresses. It does so by authenticating the sender’s identity before allowing the message to reach its intended designation – and verifying that the purported domain of the sender has not been impersonated.

How to Mitigate Email Threats

For better protection against email-borne threats, employees should be trained to engage with emails related to money and data with an “eye test” that includes inspecting the sender name, sender email address, language within the email and any logical inconsistencies within the email (i.e., if a supposed PDF file has an HTML extension), according to Armorblox.

Other defenses include implementing 2FA and implementing password management best practices.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles

Discussion

  • Stephen Hauser on

    Interesting attack flow but let us start with the first line of defense in email cybersecurity: DMARC email authentication. Not sure what this quote means (since the relevant headers were not supplied in your article or the blog): “The email was sent from a personal Gmail account via SendGrid,” Upadhyaya said. “This resulted in the email successfully passing authentication checks such as SPF, DKIM and DMARC.” Does “The email was sent from a personal Gmail account via SendGrid,” means that the header.from(5322.From) address domain was “gmail.com”? And does “email successfully passing authentication checks such as SPF, DKIM and DMARC” mean DMARC produce a “result” of “pass”? Or does it mean DMARC produced an “action” of “none”? If the header.from domain was “gmail.com” and DMARC “result” was “pass” I would like to see the headers since this would be a big problem. I would suspect that the DMARC “result” was “fail” with an action of “none”. This is because for some unexplained reason Google has a DMARC policy of “none” on the “gmail.com” domain. This situation is compounded by the fact that many mass-email systems including SendGrid (the last I investigated) do not enforce much if any header.from domain control verification. This means that users can input any header.from domain while generating emails and if the said header.from domain (such as “gmail.com”) does not have a DMARC policy of “reject” or “quarantine” a DMARC “result” of “none” if produced even if the DMARC “result” was “fail”. In most receiving email systems with a default configuration this will have no effect the incoming email flow. The simplest way to deal with this is to detect ALL email that have a DMARC “result” of “fail” and at least add an appropriately warning banner. And depending on company cybersecurity policy redirect the email flow (i.e., junk folder, user quarantine, admin quarantine, drop). We have met the enemy and it is us. Until the industry become serious on generating emails that produce a DMARC result of “pass” and reject all emails that produce a DMARC result of “fail” we will be continuously bombarded with very increasing malicious phishing email because it is so easy to do. Ideally every domain would also have a DMARC policy of “reject” or “quarantine”. Last year threatpost called out the airline industry on this issue https://threatpost.com/airline-dmarc-policies-lag-opening-flyers-to-email-fraud/158449/ . I would like to call out the cybersecurity industry on this issue. It is mind-boggling to me the number of cybersecurity companies without DMARC policies of “reject”, including gmail.com and armorblox.com (the blog that reported this savvy phishing campaign).

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.