Phishing Campaign Targeting Office 365, Exploits Brand Names

Attackers use trusted entities to trick victims into giving up their corporate log-in details as well as to bypass security protections.

Researchers have discovered a sophisticated new phishing campaign that uses recognized brand names to bypass security filters as well as to trick victims into giving up Microsoft Office 365 credentials to gain access to corporate networks.

A new report from Check Point Software first observed the attacks—the majority of which targeted European companies, with others seen in Asia and the Middle East–in April, when they discovered emails sent to victims titled “Office 365 Voice Mail.”

The emails tried to lure victims into clicking on a button that would take them to their Office 365 account to retrieve a voice message that was waiting in their voice portal, they said. If victims took the bait, they were redirected to what appeared to be the Office 365 login page but what was actually a phishing page, researchers said.

At first the attacks seemed to be “classic Office 365 phishing campaign,” Check Point manager of threat intelligence Lotem Finkelsteen said in the report. However, when researchers peered under the hood, they found more of a “masterpiece strategy” that leverages “well-known and reputable brands to evade security products on the way to the victims,” he said.

“Nowadays, this is a top technique to establish a foothold within a corporate network,” Finkelsteen said. “Access to corporate mail can allow hackers unlimited access to a company’s operations, such as transactions, finance reports, sending emails within the company from a reliable source, passwords and even addresses of a company’s cloud assets,”

It’s no simple feat to pull this type of attack, however. The level of sophistication required those behind the campaign to gain access to Samsung and University of Oxford servers unnoticed, which in turn requires a deep understanding of how they work, he added.

In the campaign, researchers observed hackers using a Samsung domain hosted on an Adobe server that was left unused since 2018’s Cyber Monday event in a technique called “open redirects,” allowing themselves “the façade of a legitimate Samsung domain to successfully trick victims,” researchers said.

The method is basically a URL on a web site that can be used by anyone to redirect users to another site, adding legitimacy to URLs used in malicious emails. In this case, the links in the email redirected to the previously used Adobe server, making the link used in the phishing email “part of the trusted Samsung domain stem–one that unknowingly redirects victims to a website hosted by the hackers,” researchers said in the report.

“By using the specific Adobe Campaign link format and the legitimate domain, the attackers increased the chances for the email to bypass email security solutions based on reputation, blacklists and URL patterns,” they wrote.

Other campaigns observed over the past year also show hackers using Google and Adobe open redirects in phishing campaigns to add legitimacy to the URLs used in the spam emails, they added.

The emails themselves also used a recognized brand to bypass security protections; they mainly originated at multiple generated addresses belonging to legitimate subdomains from different departments at the University of Oxford, according to the report. This demonstrates that hackers somehow found a way to abuse one of Oxford’s simple mail transfer protocol (SMTP) servers to pass the reputation check required by security measures for the sender domain, researchers wrote.

Check Point said it has informed Oxford University, Adobe and Samsung of its findings so they can take appropriate actions.

Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about itPlease register here for this Threatpost webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.