Getty Images

Phishing Campaigns Targeting Office 365 Credentials, Spoofing Exchange

A recent spear-phishing campaign is actively targeting Microsoft Office 365 users in an effort to steal user credentials, while another is spoofing Microsoft Exchange Online Protection.

Recent spear-phishing campaigns are again targeting Microsoft Office 365 users in an effort to steal user credentials, while one campaign spoofs Microsoft Exchange Online Protection (EOP), according to recent reports from IRONSCALES and Abnormal Security.

Nearly 200 million O365 users across the globe and particularly in the healthcare, insurance, financial services, manufacturing, utilities, and telecom sector, are being targeted by the spoofing campaign, IRONSCALES researchers explained.

The well-coordinated attacks were first observed about two weeks ago and is deployed using an exact domain spoofing technique. The method refers to an email sent using a fraudulent domain that precisely matches the domain of the spoofed brand.

For the latest campaign, IRONSCALES detected emails that appear highly legitimate in an effort to take advantage of a recent O365 capability allowing emails to be reclaimed that have previously been marked as spam or phishing emails.

“Specifically, the fraudulent message is composed of urgent and somewhat fear-inducing language intended to convince users to click on what is a malicious link without hesitation,” researchers explained.

“As inferred by the message, the link will redirect users to a security portal in which they can review and take action on ‘quarantined messages’ captured by the EOP filtering stack, the new feature that has only been available since September,” they added.

If the user interacts with the link, they’re asked to input their O365 credentials into the fake login page designed to appear as a legitimate Microsoft online site. The hackers are harvesting credentials to likely obtain confidential information, launch financial fraud attempts, for online sales, or to steal proprietary data.

Exact domain spoofs are not entirely sophisticated attack methods for email gateway controls to detect, and researchers explained that both non cloud-native and legacy email tools may efficiently stop some of these attacks.

“The reason why SEGs can traditionally stop exact domain spoofing is because, when configured correctly, this control is compliant with the domain-based message authentication, reporting & conformance (DMARC), an email authentication protocol built specifically to stop exact domain spoofing,” researchers noted.

“To the naked eye, the most suspicious element of this attack would be the sense of urgency to view the quarantined messages or the unusualness of receiving this type of email solicitation,” they added.

However, it appears that Microsoft does not always enforce the DMARC protocol, which means some of these attacks are not being rejected by gateway controls.

The attack method bears hallmark to a recent campaign observed by Cofense, where hackers send phishing emails that rely on message quarantine notices. These emails claim certain messages failed to properly process and will need to be reviewed or they risk deletion.

'Doc Delivery' Attacks

According to Abnormal Security, a widespread, coordinated spear-phishing campaign has been observed targeting a range of enterprise organizations in the last week. The hackers were able to successfully compromise hundreds of legitimate accounts, which they’ve used to send emails in rapid succession to connected organizations.

The ‘Doc Delivery’ attacks send emails that impersonate businesses like eFax, including personalized notifications. Researchers explained that the clever tactic of sending an eFax notification from an unrelated, compromised account is designed to ensure the phishing emails bypass traditional threat-intelligence.

Threat actors have increasingly leveraged the technique of sending further phishing messages from compromised accounts, as these messages are typically trusted by email security solutions given prior, legitimate conversations -- even if the message contains malicious signals, like phishing links.

If a user interacts with the malicious link contained in the body of the email, they’re instead directed to a fake, Microsoft O365 spear-phishing page. The researchers noted that the pages are hosted on digital publishing sites, including Quip, Weebly, and Joom and are adequately disguised to appear as legitimate eFax landing pages.

The researchers have observed hundreds of these spear-phishing domains.

“When one email is detected and caught, the attackers appear to be running a script that changes the attack to a new impersonated sender and phishing link to continue the campaign,” researchers explained.

“The widespread use of hundreds of compromised accounts and never-seen-before URLs indicate the campaign is designed to bypass traditional threat intelligence solutions accustomed to permitting known but compromised accounts into the inbox,” they added.

Given the volume and spread of this phishing campaign, Abnormal Security said it appears the attackers are highly motivated.

As spear-phishing education drastically reduces the risk posed by malicious emails, enterprise organizations should remind employees that phishing emails are more than likely to appear as legitimate messages. Spear-phishing insights from Europol can also shed light on appropriate security measures needed to shore up email-based threats.

Next Steps

Dig Deeper on Cybersecurity strategies