Phishing Campaign Used Fake Office 365 Update MessagesArea1 Researchers Say Fake Microsoft Messages Designed to Steal Credentials
A recent phishing scheme used fake Microsoft Office 365 update messages to target financial executives and others in an effort to harvest their credentials, according to the security firm Area 1.
"We identified over 100 targeted individuals across 40 companies from numerous industry verticals," says Adin Drabkin, security researcher for Area 1. "Judging by the nature and diversity of targeting of this campaign, there are likely many more organizations outside of our scope that could have been targeted by these actors."
The phishing campaign, which ran from December through February, targeted specific employees based on their position and time on the job with the company, Area 1 researchers say. The attackers primarily targeted organizations in the financial services, insurance and retail sectors. They used malware to bypass Microsoft's native email defenses and authentication processes, according to the Area 1 report.
"Unlike the 'spray and pray' method often seen with these types of cybercriminal-driven credential-harvesting campaigns, this limited activity suggests a more targeted approach," the research team said.
The attackers sent well-crafted phishing emails portrayed as being about Office 365 updates to high-level executives and others with access to important credentials. The emails included a malicious attachment that could load data-harvesting malware.
The attackers used Microsoft-themed sender domains, which enabled them to bypass email authentication using PDF/HTM/HTML attachments. And they used advanced phishing kits, the report notes.
The campaign used nine domains; four were fakes, while the others were compromised legitimate URLs, the researchers determined.
"While we cannot attribute these campaigns with 100% certainty to a specific group or [determine] which exact phishing kit they may be using, there was evidence that the attackers leveraged Russia-based registration and hosting services for many of the sender domains," Adin says. "However, this could easily be a false flag used to stifle attribution."
The researchers note that the majority of the phishing emails were sent to individuals in an organization's financial department because their credentials, if stolen, could have given the attackers access to a wide variety of sensitive information that they could use to further attack the organization, its customers or other third parties. The attackers also targeted C-suite members and their executive assistants.
Sometimes, the attackers attempted to single out newly appointed CEOs unfamiliar with a company's software update procedures, the researchers say.
The phishing emails, offering a fake message about an Office 365 update, had the subject line "Important Service Changes," Area 1 says. To make the emails appear legitimate, they often had registered Microsoft-themed sender domains and included sender names of people who worked at the targeted company, the researchers say.
"The attackers also properly configured the [Sender Policy Framework] records for these domains to better ensure their messages passed email authentication. To further avoid detection, the threat actors leveraged their Microsoft-imposter domains in the phishing attacks not long after they were registered," the researchers say.
The fake "update" was usually stored in a malicious attachment. The attachment had instructions on initiating the process or simply included an "Apply Now" icon. Area 1 describes the attackers' phishing kit as highly advanced and capable of avoiding Microsoft Office 365 and other email defenses.
Avoiding the native email defenses was accomplished by the credential-harvesting malware automatically being loaded into the victim's browser after the victim opened the attached file.
If the recipient clicked on accept, they were linked to a spoofed Office 365 login page and asked to enter their email address. A password was then requested after the malware checked to make sure the address was real, the researchers say.
The harvesting malware used WebSockets to send screenshots back to the attackers to enable them to harvest credentials.
Microsoft Exchange Issues
The phishing campaign, which ended in February, came as attackers were exploiting unpatched flaws in on-premises Microsoft Exchange email servers.
On March 2, Microsoft issued emergency patches for four zero-day vulnerabilities. The flaws have been exploited to deliver ransomware, including Black Kingdom .