Office 365 Phishing Attack Evolving
I. Targeted Industries
- Higher Education
- Financial Services
- Independent Companies
II. IntroductionAs states and businesses slowly begin reopening during the COVID-19 pandemic, attackers are still looking for ways to exploit the situation. Remote work and online learning are still prevalent during this time and with that Office 365 phishing scams have evolved. Researchers at Abnormal Security found that phishing attacks are now leveraging fake VPN configurations to target Office 365 credentials. This threat has been evolving since March. Please see our previous threat advisory on Office 365 phishing scams which can be found at the link below: https://cyberflorida.org/2020/03/30/increased-office-365-cyber-phishing-attacks-related-to-covid-19/
III. Background InformationThe attack starts with a phishing email being sent to individuals impersonating a notification from their company’s IT support department. The email address on the notification is also spoofed to look like it came from within the organization. Within this email is a link to an alleged “new VPN configuration for home access.” This link however redirects to an Office 365 credential phishing website. The web page is hosted on the Microsoft-owned web.core.windows.net domain. This is done by taking advantage of the custom domain configuration offered by the Azure Blob Storage platform. The domain is given a valid Microsoft certification which passes as legitimate. Valid certification has given this scam a high success rate as most individuals are tricked into entering their credentials after seeing the certification and believing that it is an authorized Microsoft domain. Also, the webpage design appears to be identical to the actual Office 365 login page. Once the individual submits their credentials to the phishing site, the credentials are sent to the attacker who can then use them to access the victims’ work accounts and steal sensitive data. Multiple versions of this attack have been seen across different clients, emails, and IP addresses but they all contain the same payload link, implying a single attacker.
- Implement Multifactor Authentication in O365
Multifactor authentication adds an extra layer of security when a user logs in and provides alerts when someone is trying to use their credentials.
- Recommended links:
- Utilize a Password Manager
Password managers allow users to encrypt and store passwords for various accounts. This prevents credential theft from being too damaging by enabling an easy user experience for assuring strong, unique passwords across multiple user accounts.
- More information: https://www.cnet.com/news/best-password-managers-for-2020/
- Reinforce Cybersecurity Awareness with End-Users As individuals transition to remote work environments, now would be a good time to reinforce several key elements of cybersecurity awareness.
- Phishing Awareness Training
Organizations should provide end users with additional education on the increased threat of phishing attacks.
- Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
- Safe Browsing Techniques
Users should be educated on safe browsing techniques to ensure they are conscious of anything malicious they may come in contact with. Similar to phishing awareness training, this is a good time to remind users of safe browsing techniques.
- Recommended link: https://www.us-cert.gov/ncas/tips/ST07-001
- Support Channel Emphasize the importance of users contacting support directly if anything seems suspicious about the services provided, preferably before clicking on suspicious links. Provide employees with contact methods to reach out to your organization’s support.
- Virtual Private Network (VPN) Employees should be encouraged to use the virtual private network provided by their organization.
- Anti-Phishing Policies Office 365 Advanced Threat Protection (ATP) anti-phishing policies can protect universities and private institutions to ensure threats are prevented before they begin targeting individuals.