A new phishing scam is on the rise, targeting executives in the insurance and financial services industries to harvest their Microsoft 365 credentials and launch business email compromise (BEC) attacks, according to a new report from Area 1 Security.
These new, sophisticated attacks are aimed at C-suite executives, their assistants and financial departments, and can work around email security and Office 365 defenses. Researchers added, most of the attacks they intercepted attempted to breach financial departments. Researchers said the attacks started last December and continued through February.
“By targeting the financial departments of these companies, the attackers could potentially gain access to sensitive data of third parties through invoices and billing, commonly referred to as a BEC (Business Email Compromise) attack,” researchers said in the Thursday report. “This enables the attackers to send forged invoices from legitimate email addresses to suppliers, resulting in payments being made to attacker-owned accounts.”
These threat actors also specifically look for new CEOs during their transition periods, when they’re likely onboarding for payroll and other internal systems.
“This particular phishing campaign targeted 40 of Area 1 Security’s clients across numerous industries,” Maaz Qureshi, Threat Response Analyst with Area 1 Security, told Threatpost. “The most targeted were within insurance and financial services. Judging from the size of this campaign, there are certainly many more organizations outside of our scope that have been targeted by these malicious actors.”
Anatomy of the Attack
In one version of the campaign, targets get a spoofed Office 365 security update, sent from domains with Microsoft-themed names to make them seem even more legitimate, researchers explained. The scammers have also properly configured SPF records to get by authentication protections, they added.
“In an effort to further avoid detection, the threat actors leveraged their Microsoft-imposter domains in the phishing attacks not long after they were registered,” the report explained. “This quick domain registration turnaround is a common tactic employed by scammers hoping to bait as many victims as possible before their newly registered domains are identified as phishing infrastructure.”
Another version of the attack involves taking over other accounts to send the phishing messages. The attackers spoof email addresses of known senders to evade detection.
The goal of the phishing email is to dupe victims into clicking on the “Apply Update” button, disguised as a security update, which takes them to a spoofed Office 365 login page.
“For both the HTML and HTM attachments, the credential harvesting site would automatically load in the victim’s browser once the file was opened,” researchers said.
Once deployed, the threat actors apply HTML “meta” refresh to load the credential harvesting site, which appears to be a Microsoft “Privacy Statement.” If they are duped into clicking on “Accept,” they are taken to a page that looks “identical” to the real thing, according to researchers.
“In some cases, the attackers were even more stealthy by prefetching the localized Office 365 sign-in,” Area 1 said. “If the victim entered their email address, the attacker would verify it was a valid Office 365 address. In instances where the entered email address used Conditional Access, a different single sign-on (SSO), Active Directory Federation Services (ADFS), etc., the phishing kit would essentially break and the victim would simply be redirected to the legitimate sign-in experience.”
After a target submits their password, the threat actors have full control of their email and any other systems where the same password was used, researchers warned.
The attackers have employed a couple of new tactics for this attack, including the use of free front-end web development tools to create the fake Microsoft pages and their use of websockets to take and send the attackers screen shots of the victim’s activity after each click.
“In particular when a victim clicked the “Next” button after entering their email address and password,” the report added.
Microsoft is the Phishing Lure of Choice
What is not new is the use of Microsoft-related lures, including Office 365 and Teams in BEC attacks. Just recently, Cofense released a report which found that 45 percent of all the phishing emails sent in 2020 were Microsoft-themed.
“With the number of organizations migrating to Office 365, targeting these credentials allows the threat actor to gain access to the organization as a legitimate user to go undetected,” researchers with Cofense told Threatpost. They added that they “highly recommend organizations enable [multi-factor authentication] along with their [Office 365] migration/ implementation.”
Office 365 is a treasure trove of exploitable data, because it is so widely used by a remote workforce relying on the service as a central repository for data.
“SaaS platforms like Office 365 are a safe haven for attacker lateral movement, making it paramount to focus on user access to accounts and services,” Chris Morales with Vectra told Threatpost. “When security teams have solid information and expectations about SaaS platforms such as Office 365, malicious behaviors and privilege abuse are much easier to quickly identify and mitigate.”
To avoid such attacks, “when receiving an email that claims to originate from internally and requires clicking on a link or downloading an attachment, it is best practice to confirm the authenticity of the email,” Qureshi told Threatpost. “All employees should be versed in basic cybersecurity, such as refraining from clicking on external, unknown links,” he said.
Register for this LIVE Event: 0-Day Disclosures: Good, Bad & Ugly: On Mar. 24 at 2 p.m. ET, Threatpost tackles how vulnerability disclosures pose a risk to companies like Microsoft – currently reeling over 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack why understanding it matters to all businesses. Register NOW for this LIVE webinar on Wed., Mar. 24.