Cybercriminals are targeting Office 365 users in a convincing new phishing campaign, Microsoft Security Intelligence (MSI) warns. Malicious attackers are using strongly-spoofed email addresses and other “crafty” tricks that let malicious emails bypass phishing filters undetected.
Phishing Attack Targets Microsoft Office 365 users
With more than one million companies using Microsoft Office around the world, cybercriminals have launched a malicious credential-stealing campaign that could allow them corporate network access—one of the hottest new moneymakers on the dark web.
While some phishing attacks can be easy to spot, Microsoft noted this attack was engineered and executed particularly well. Cybercriminals are sneaking realistic phishing emails past filters and targeting Office 365 users that often share files with colleagues within an organization.
“An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters,” MSI said in a tweet.
Phishers use a SharePoint lure in the display name and in the body of the email, which poses as a “file share” request, MSI said. This prompts the victim to download a file (for example, an Excel spreadsheet) that might read: “Staff Reports”, Bonuses”, “Pricebook Changes”, or some other relevant business content.
The link is not actually a download, but rather carries the user to a spoofed, hacker-controlled site where they might be duped into entering their Microsoft or company login credentials or other sensitive information.
A “Campaign Even Sneakier Than Usual”
Microsoft called this campaign “even sneakier than usual,” as it employs several tactics. First, the emails are loaded with Microsoft logos and other convincing details, and secondly, the phishing attack manages to bypass sandboxes through multiple sign-ins.
The emails contain two links, the first using a Google storage resource that directs users to a domain on AppSpot—Google’s cloud-based web app hosting platform. This prompts a user sign in.
The second URL comes as a notification on the site and connects the victim to a compromised SharePoint site, MSI said. The two URLs also use typosquatting (URL highjacking) techniques where cybercriminals register domains that are just a few letters off from a real site.
“The emails contain two URLs that have malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page,” MSI said in a tweet.
“These plus a load of other detection evasion techniques make this campaign even sneakier than usual, but Microsoft Defender for Office 365 detects and blocks these emails.”
Microsoft Impersonated More than Any Other Brand
A recent study from cloud-computing security firm Barracuda noted that there has been a “dramatic increase” in spear phishing attacks on companies since June 2020. Almost half of those attacks were cybercriminals pretending to be a legitimate brand—namely, Microsoft.
“Taking on the identity of a well-known and trusted brand is an old trick that many hackers use,” Barracuda said.
“People tend to expect to see communication that comes from our favorite brands, and that makes them more likely to trust it. The top three brands used in phishing impersonation attacks—Microsoft, WeTransfer, and DHL—have stayed consistent since 2019.”
During 12 months of research, the firm said Microsoft was used in 43% of phishing attacks, while WeTransfer was used 18%, DHL 8%, and Google 8%.
Barracuda said the aims of these attacks were simple—cybercriminals want to steal login credentials and gain access to corporate networks. Once the network is breached, hackers can launch further cyberattacks, including ransomware.