Sophisticated Phishing Campaign Targets Microsoft Users

Phishing campaigns that Microsoft security researchers have been pursuing for years underscore not only the continuing success of hackers’social engineering efforts to compromise systems, but also the extent to which bad actors cover their tracks to steal user data. Last month, Microsoft’s Security Intelligence Team was alerted that Microsoft’s 365 users and administrators were facing a clever new phishing attempt. The attack, discovered and described by cybersecurity researchers at Menlo Security in detail, was a phishing email containing a link to a website that posed as a Microsoft Office 365 login portal.

The phishing campaign, which is more ongoing and sophisticated than most, is aimed at Office 365 users and organizations that use a number of compelling baits. The campaign uses fake address and target domains to look as legitimate as possible and pass through automated email filters.

Most phishing emails are sent from an address within the Microsoft theme, but the sender domain is configured with SPF entries and designed to look like a message from Microsoft containing a fake warning about an important service change or security update. In some cases, the attacker manages to insert the target’s full name in a PDF attachment containing edited target information, including the target’s full name, email address and company logo. The most commonly observed campaigns with advanced phishing kits create different subdomains based on email addresses and hard-encrypted URLs.

These messages aim to trick users into revealing important data such as usernames and passwords, which attackers can use to crack system accounts. The URLs in malicious emails are no longer good, leading to Office 365 phishing pages that ask you to enter your credentials. Some e-mails try to urge users to take advantage of Microsoft 365 “s new features, which allow account holders to reclaim e-mails labeled as phishing or spam.

Cybercriminals use phishing and fraudulent efforts to obtain sensitive information such as credit card details and login details by disguising a trustworthy organisation or serious person in email communications. A phishing campaign is carried out through email spoofing, in which the email instructs the recipient to enter personal information on a fake website that looks identical to a legitimate website. A classic version of the scam involves sending an email with a bespoke message from a major bank and sending it to millions of people, with the attacker ensuring that at least some recipients are customers of the bank.

The attackers try to create messages that target a specific person, and this is called Spear Phishing. Spear phishing emails seem to come from someone who knows the target, such as an employee of the target company or company, or someone on the target network. Phishers use information from websites such as LinkedIn to identify their targets and use fake addresses to send emails that look like they come from colleagues.

Microsoft says a year-long evasive spear phishing campaign had targeted Office 365 customers in several waves of attacks starting in July 2020. The campaign lures people with invoices with the theme “xl.shtml” and attachments with various information about potential victims such as email addresses and company logos. Attackers use phishing kits and a number of sophisticated methods to reinforce the sophisticated targets of Microsoft Office 365 phishing campaigns. This suggests that threat actors collect data about their targets through intelligence and staged attacks in order to increase the effectiveness of campaigns through social engineering.

This ongoing phishing campaign aimed at user data uses sophisticated techniques to bypass email security gateways and social engineering tactics to entice company employees to visit websites where access data can be collected. The attackers forge their e-mail address so that it looks as if it came from someone else, set up fake websites similar to those trusted by the victim, and use foreign characters to set up disguised URLs. Once the recipients are convinced to enter their Microsoft credentials on a phishing site, they hand them over to the attackers, who then use the credentials for a number of malicious purposes, including taking over accounts.

Research published by Vectra in October found that attackers can use Microsoft accounts to access other user accounts in target organizations and perform command and control communications, among other things. Once email accounts are accessed and used for further phishing attacks, business emails can be compromised by the scam as they contain a wealth of sensitive data, including protected health information.

Microsoft explained that its defenders in Office 365 can detect and fix phishing email campaigns but a recent Ironscale study revealed that many email security portals cannot prevent complex phishing threats. Unskilled attackers can use business email compromising attacks to infiltrate Microsoft accounts of target organizations. While the attacks are detailed, social engineering has often been the driver of such phishing campaigns, which require a little personalization to convince targets to share login credentials, company resources or malicious apps, said Hank Schless, senior security partner at the ESECurity Planet cybersecurity firm Lookout.

The credentialing campaign employed a variety of sophisticated techniques, including falsifying various Microsoft 365 service updates, using Microsoft themes and sender domains and bypassing email authentication including PDF, HTML and HTML attachments with an advanced phishing kit. The larger operation uncovered included several other related phishing campaigns targeting the same positions in the industry, also using sophisticated techniques from the same kit, as well as bypassing Microsoft’s native email defenses and email authentication.

The largest Microsoft 365 spoofing campaign bypassed Microsoft 365 native defenses and other email security measures by targeting finance departments, C-Suite executives, and executive assistants in the financial services, insurance, and retail industries. In some cases, attackers targeted selected CEOs before their appointments were made public. In May, a convincing campaign that faked notifications from Microsoft teams to steal Office 365 credentials from employees was spread across two separate attacks targeting up to 50,000 different teams and users.

As part of the first discovery of Nobelium campaign, which Mstic observably noted in an extensive blog in February, we identified a wave of phishing emails that used Google Firebase to stage malicious ISO files and firebase records and attributes to access URLs.