A phishing campaign that uses legitimate organizations’ Office 365 infrastructure to send emails has emerged onto the cyberscam scene.
According to Michael Tyler at PhishLabs, cybercriminals are looking to compromise Microsoft Office 365 administrator accounts to send out phishing lures – thus ensuring the emails come from legitimate, validated domains.
“This is beneficial for attackers because many email filtering solutions leverage the reputation of a sender domain as a major component of determining whether to block an email,” he explained, in a recent posting on the campaign. “Well-established domains with a track record of sending benign messages are less likely to be quickly blocked by these systems. This increases the deliverability and efficiency of phishing lures.”
The adversaries are gaining access to legitimate Office 365 installations with administrative privileges (via phished, brute-forced or stolen credentials). Office 365 admins have administrative control over all email accounts on a domain, so the cyberattackers are using those privileges to set up a new account in the system. Then, the lures are sent out from that freshly created account.
“By using a created account, the attacker does not need to worry about a legitimate user stumbling upon the malicious activity taking place, either by observing outgoing mail or receiving automated responses from failed delivery attempts,” Taylor explained.
For now, the crooks are going after other Office 365 credentials. In the scam emails (which use either an “Action required!” or “We placed a hold on your account” subject lines), targets are presented with a link that leads to a spoofed login page for Office 365. However, the attackers could use their access for other malicious activities, Taylor pointed out.
“Depending on the current configuration of the Office 365 instance, a compromised admin account may enable retrieval of user emails, or complete takeover of other email accounts on the domain,” he said. “In addition, Office 365 admins often have elevated privileges on other systems within an organization, potentially allowing further compromises to take place via password reset attempts or abusing single-sign-on systems.”
This technique of leveraging the reputation of a compromised domain to distribute phishing emails is being seen in a “spray-and-pray,” non-targeted campaign that has hit a wide variety of enterprises and industries, according to PhishLabs analysis. The firm said that multiple validated domains have been compromised in order to send out phishing lures.
Trends in Phishing Tactics
According to Vade Secure’s “Phishers’ Favorites” report for Q3 2019, unique Microsoft phishing URLs detected in Q3 2019 were down by 31.5 percent compared to the second quarter. However, Office 365 phishing attacks are still very common, with more than 150 unique URLs appearing per day, the Vade data shows.
Office 365 phishing techniques have also gotten savvier as defenses and user awareness have gotten better, according to the report.
“Cybercriminals are always evolving their phishing tactics, and each quarter we see them becoming smarter and more innovative in order to keep up with the defenses being deployed by email users and businesses,” said Adrien Gendre, chief solution architect at Vade. “Despite the drop in related Microsoft phishing URLs, it’s important for organizations to remain on high alert as our researchers have uncovered a number of new and sophisticated methods of attacking Office 365 users.”
For instance, some phishers have shifted towards email randomization, such as using a modified brand logo (e.g. Microsoft logo on a blue background) in order to bypass template-matching and feature-matching algorithms. , according to the report. that can only identify exact matches of the image.
“Moreover, cybercriminals have begun to shift their focus to the construction of the email, leveraging various randomization techniques to break through traditional defense layers,” according to the Vade report. “This minimizes the need for unique URLs for each message because the phisher is able to reuse the same webpage across a large number of emails.”
Interestingly, in Q3, PayPal overtook Microsoft to claim the top spot for the number of unique phishing links related to it. Netflix meanwhile moved up to the third spot with a 14.1 percent increase quarter-over-quarter and a 73.7 percent year-over-year growth in unique phishing URLs.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.