According to a blog post by researchers at Phishlabs, hackers bait users with a fake Microsoft email with an Office 365 logo, but coming from multiple valid domains that don’t belong to Microsoft. On clicking the link, victims see a spoofed login for Office 365.
Researchers said that these cyber-criminals have targeted administrative credentials.
"Office 365 admins have administrative control over all email accounts on a domain. Depending on the current configuration of the Office 365 instance, a compromised admin account may enable retrieval of user emails, or complete takeover of other email accounts on the domain," said Michael Tyler, senior operations manager at Phishlabs.
These administrators often have privileges on other systems within an organisation, potentially allowing further compromises. With a compromised admin account, attackers can create new accounts within the organisation to abuse single-sign-on systems.
This particular attack used a legitimate organisation’s Office 365 infrastructure as many email filtering solutions leverage the reputation of a sender domain as a major component of determining whether to block an email.
"Well established domains with a track record of sending benign messages are less likely to be quickly blocked by these systems. This increases the deliverability and efficiency of phishing lures," said Tyler.
He added that in this attack, the hacker gained some level of administrative control over the sender’s Office 365 installation.
"Once done, they created a new account, which was then used to distribute the campaign. The creation of a separate account to distribute their phishing campaign is another technique used to avoid detection by the compromised organisation," he said.
"By using a created account, the attacker does not need to worry about a legitimate user stumbling upon the malicious activity taking place, either by observing outgoing mail or receiving automated responses from failed delivery attempts."
Steven Peake, pre-sales manager UK&I at Barracuda Networks, told SC Media UK that users should very careful when clicking on links or attachments in an email, even if you know the sender.
"Secondly, for links in particular, it’s always safer to open a browser and type in the address link. Finally, never use the same password for multiple accounts. This prevents a successful attack from exposing more than one set of credentials. As employees may not always recognise or report malicious emails, conducting proactive investigations is key to ensure that attacks don’t get through the net," he said.
Corin Imai, senior security advisor at DomainTools, told SC Media UK that this campaign coming from Office 365 validated domains just demonstrates how much awareness is important, but can’t be an organisations’ only line of defence.
"Even the most careful user could fall for certain particularly well-crafted scams, which is why training should augment email security policies, but strong email filtering systems should also be in place to protect this vulnerable attack vector," she said.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout