Microsoft is a popular brand for cybercriminals to impersonate in phishing campaigns. The company’s products are used by a vast number of people, both personally and professionally. Plus, gaining access to someone’s Microsoft credentials can open the key to an array of associated websites and services. One particular campaign analyzed by cyber threat intelligence provider Check Point Research redirected people through a series of legitimate websites in an effort to steal their Microsoft credentials.
SEE: Fighting social media phishing attacks: 10 tips (free PDF) (TechRepublic)
In a blog post published Thursday, Check Point described the method in which attackers exploited one of Oxford University’s mail servers to send the initial email, abused an Adobe Campaign redirection tool, and then used a Samsung domain to take users to a Microsoft Office 365-themed phishing website. The goal was to take advantage of legitimate sites and services in an effort to evade security software. First spotted in April, 43% of the attacks targeted European companies, while the rest were found in Asia and the Middle East.
Most of the emails observed came from multiple addresses that belonged to legitimate subdomains from different departments at the University of Oxford. By using Oxford’s SMTP servers, the attackers were able to sneak past the reputation check for the sender’s domain. They could also generate as many email addresses as they needed.
The sent email itself claims to offer missed voice mail related to the recipient’s Office 365 account with references to Office 365 and Microsoft and even a phony “Message from Trusted server” notice at the top. The email prompts the recipient to click on a button to listen to or download their missed voice messages. Clicking on that button then takes unsuspecting victims to a phishing page that asks them to sign in with their Microsoft account.
Behind the scenes, however, the trip between the email and the phishing page goes through several steps. First, users are redirected to an Adobe Campaign server. Offered by Adobe to email marketers, Adobe Campaign has been exploited in other phishing attempts to add legitimacy to URLs used in malicious messages.
In this instance, the link in the email directs people to an Adobe server used by Samsung during a 2018 Cyber Monday marketing campaign. By taking advantage of the Adobe Campaign link format and a legitimate Samsung domain, the attackers attempted to elude security protection based on reputation, blacklists, and URL patterns.
Next, the attackers redirect users to one of several compromised WordPress sites that contain malicious redirect code. Adding this layer is another way to evade security products as the URL in the email points to a seemingly legitimate WordPress site rather than a dubious phishing page.
To elude security alerts or blocks, the attackers reached into a clever bag of tricks. Using an Oxford email server to send the initial email helped them bypass reputation filters. The links within the email pointed to a legitimate domain owned by Samsung. And a series of redirects resulted in a concealed phishing page.
“What first appeared to be a classic Office 365 phishing campaign turned out to be a masterpiece strategy: using well-known and reputable brands to evade security products on the way to the victims,” Lotem Finkelsteen, Check Point manager of threat intelligence, told TechRepublic.
“Nowadays, this is a top technique to establish a foothold within a corporate network. Access to corporate mail can allow hackers unlimited access to a company’s operations, such as transactions, finance reports, sending emails within the company from a reliable source, passwords, and even addresses of a company’s cloud assets. To pull the attack off, the hacker had to gain access to Samsung and Oxford servers, meaning he had time to understand their inner workings, allowing him to go unnoticed.”
To protect yourself against phishing attacks that exploit Microsoft 365 and other cloud services, Check Point offers three tips:
- Use different passwords for your cloud application. Segregation protects your assets when one is exposed.
- Use cloud and mail security solutions. The fact that these campaigns thrive proves that native security solution are easy to bypass. Use cloud and mail security solutions to remove threats to your email and to protect your cloud infrastructure.
- Don’t enter your credentials when you didn’t expect to do it. Often, it’s a scam in disguise.
Roger Grimes, data driven defense evangelist for KnowBe4, also has some advice to share.
“Phishing emails sent from a compromised trusted third party have been on the rise for at least two years,” Grimes said. “When I talk to CIOs, they say this is the type of phishing email that they see increasing the most and the one that worries them the most. Traditional anti-phishing advice like ‘Don’t trust email coming from people you don’t know’ or ‘Don’t open file attachments from people you don’t know’ doesn’t work. These days, phishing emails are coming from people and brands you trust and have ongoing relationships with.”
To combat these latest phishing threats, Grimes suggests the following steps:
- Educate users about these types of attacks coming from compromised trusted third parties.
- Implement Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and DMARC to ensure that the sending domain in the email is really the domain it is coming from.
- Educate users to care more about the particular request than the sending party it is from. If the request is unexpected and requesting an action never requested before, then it should be considered suspicious and investigated more before performing the requested action.
- Most of these types of phishing emails have “stressor events” in them, telling the user they need to do something immediately, or else something irreversibly bad will happen. Teach end users to be suspicious of all emails containing stressor events. If an email arrives saying you need to act quickly, that’s the time to stop and think before you act.
- Lastly, tell users to call the legitimate sender when something seems unusual. Make it a policy. They should call using pre-defined phone numbers and not rely on any phone numbers or contact information in the email.