Researchers are warning of a coordinated phishing attack that targeted “numerous” enterprise organizations last week.
The attackers behind the attack leveraged hundreds of compromised, legitimate email accounts in order to target organizations with emails, which pretended to be document delivery notifications. In reality, the phishing attack stole victims’ Office 365 credentials.
“The widespread use of hundreds of compromised accounts and never-seen-before URLs indicate the campaign is designed to bypass traditional threat intelligence solutions accustomed to permitting known but compromised accounts into the inbox,” said researchers with Abnormal Security, in a Monday analysis.
The attack starts with a lure convincing email recipients that they received a document. The email impersonates businesses like eFax, which is an internet fax service making it easy to receive faxes via email or online.
One sample email uses the legitimate eFax branding and has an email title: “Doc(s) Daily delivery #-0003351977.” It tells recipients, “You have a new fax!” and includes a small picture that is a sample image of a fax the recipient apparently received. The email also tells recipients to “click the attachment to view” and contains a link in a button that says “View Documents.”
The email appears to be legitimate and even has a tag at the bottom that markets eFax’s plans, telling recipients: “Tip: Switch to an annual plan – it’s like getting 2 months free every year! Call (800)958-2983 or email firstname.lastname@example.org[.]com.”
“The above example is one of many similarly crafted campaigns that originate from multiple compromised accounts,” said researchers. “The reason the bypass works is because the compromised email addresses are known and trusted by the organization based on prior and legitimate communications.”
The embedded URLs redirect to fake, never-seen-before Microsoft Office 365 phishing pages, said researchers. Hundreds of these phishing landing pages have been detected and are hosted on digital publishing sites like Joom, Weebly and Quip, they said.
The landing page again includes a sample fax image, Caller ID and reference number, and again tells recipients to “View Document.”
Here, “the attacker attempts to legitimize the campaign with official-looking landing pages similar to those used by eFax,” said researchers.
When the employee clicks this next “View Documents” link, they are taken to the final credential-phishing campaign.
Making detection and prevention of this campaign more difficult, “When one email is detected and caught, the attackers appear to be running a script that changes the attack to a new impersonated sender and phishing link to continue the campaign,” said researchers.
Microsoft Office 365 users have faced several sophisticated phishing attacks and scams over the past few months. In October, researchers warned of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack aimed to steal Office 365 recipients’ login credentials. Also in October, an Office365 credential-phishing attack targeted the hospitality industry, using visual CAPTCHAs to avoid detection and appear legitimate.
Finally, earlier this month, a spearphishing attack spoofed Microsoft.com to target 200 million Microsoft Office 365 users in a number of key vertical markets, including financial services, healthcare, manufacturing and utility providers.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, Israel Barak, CISO at Cybereason and Limor Kessem, Executive Security Advisor at IBM Security on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.