Microsoft Warns of Office 365 Phishing Attacks

Microsoft’s Security Intelligence team is warning users of the Office 365 suite about an ongoing phishing campaign that appears to be harvesting victims’ credentials.

The phishing emails, which are currently circulating, use several techniques to bypass and evade secure email gateways. The criminals use social engineering techniques and timely subject lines relevant to remote work, like password updates, conferencing info, and helpdesk tickets, as a way to lure victims into clicking the emails and inputting their credentials, which are then harvested.

The evasion techniques, combined with heavy obfuscation of the malicious messages within the HTML code, help make this phishing campaign difficult to detect.

Avoiding Detection

After examining some of the phishing emails, the Microsoft researchers noted several ways that the criminals are attempting to avoid security tools. For example, they are using redirector URLs that can detect connections stemming from sandbox environments, which are typically used by analysts to detect these types of attacks.

According to the report, each of the redirector sites uses a subdomain that contains a username and the organization’s domain name to help increase the authentic look of the phishing email.

“This unique subdomain is added to a set of base domains, typically compromised sites,” according to Microsoft. “Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient.”

“If the redirector detects that it’s being accessed from a sandbox environment or if the URL has expired, it redirects to legitimate sites, such that it can evade automated analysis, and only actual users reach the phishing site,” Microsoft reports.

Microsoft also warns that the phishing emails use social engineering techniques based on work-from-home scenarios to get potential victims to click on a malicious link. The subject lines include “Password Update,” “Exchange protection,” “Helpdesk-#,” “SharePoint,” “Projects_communications.”

Microsoft doesn’t describe how the Office 365 credentials are harvested in this campaign. But a sample email shows a malicious link that asks for a password reset. If clicked, this link could lead to a phishing landing page, where a user would enter credentials, and then fraudsters would then harvest them.

If you have questions about IT security and how to keep your bank safe in a changing threat landscape, call ITPAC today.