Phishing emails are a key way that cybercriminals use social engineering to try to deploy malware. By impersonating well-known companies and products, such emails attempt to ensnare people who use them. And the more popular the product or brand, the greater the number of potential victims. With so many people and organizations using Microsoft Office 365, phishers who exploit this brand can target a vast amount of people as a way to steal their account credentials, as described by Vade Secure.

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)

Beyond Windows itself, Office 365 is one of Microsoft’s most ubiquitous products. Office 365 comes in eight different flavors for both home users and businesses. It includes 17 different products, including Word, Excel, PowerPoint, Outlook, OneNote, OneDrive, Skype, and SharePoint. And it holds around 200 million monthly active users. All of this is why Vade Secure tagged Microsoft as the top impersonated brand for all phishing attacks in 2019.

Overall, Vade Secure found 64,331 unique phishing URLs impersonating Microsoft, hitting an average of 176 unique URLs per day. Following closely in second place was PayPal with 61,226 unique phishing URLs.

Types of phishing attacks

Phishing attacks that exploit Office 365 come in different varieties, according to Adrien Gendre, chief solutions architect at Vade Secure. These include fake quarantine notifications, voicemail attachments, suspended account notices, and payment failure notifications. Vade is now seeing phishing emails impersonating OneDrive and SharePoint. In some of these campaigns, phishers send phony OneDrive or SharePoint notifications that lead you directly to a phishing page. In others, they send legitimate OneDrive or SharePoint notifications that take you to a real file containing a phishing URL.

Vade found and analyzed several real-world phishing attacks exploiting Office 365:

  • Phishing attacks that leverage SharePoint and OneDrive. Many of these emails are fraudulent, but some are sent from legitimate Office 365 accounts, which makes detection almost impossible. The phishing link is not in the email but in the shared file.
  • Reputation and signature-based emails. These email filters scan for known phishing URLs but can’t recognize a new, unknown threat or phishing URL that has not yet been detected and blacklisted.
  • Look-a-like phishing webpages. Using CSS, hackers mimic both the design of Office 365 login pages and the building blocks of the page. In some cases, hackers copy the CSS from the real Office 365 login page and use it to build their phishing page.
  • Use of distorted images or logos for increased authenticity. To bypass a filter, hackers distort the image slightly and change the cryptographic hash, thereby manipulating the email filter, which then classifies the email as unique.

“Overall, the sophistication of these attacks is growing, with many Office 365 phishing pages being virtually indistinguishable from the real thing,” Gendre said. “To accomplish this, hackers mirror the actual Office 365 login page, pulling JavaScript and CSS directly from the legitimate website and inserting their own script to harvest credentials. In addition, we’re seeing pages that redirect users to legitimate Microsoft pages once they’ve submitted their credentials in an attempt to convince them that nothing is amiss.”

What’s the goal of phishing attacks?

The overall goal of these type of phishing attacks is to steal Office 365 credentials, according to Gendre. If successful, the attackers can sell the organization’s Global Address List or other company information on the dark web, deploy ransomware inside an organization, and conduct business email compromise attacks using the compromised account. Sometimes, the cybercriminal uses the stolen credentials to silently monitor email traffic and move laterally within the organization to plan a larger, more orchestrated attack.

How to protect yourself from phishing

To protect your organization from these types of phishing attacks, Gendre recommends a defense that combines humans and machines working together. His specific tips include the following:

Use artificial intelligence. First, you need to leverage artificial intelligence (AI), specifically machine learning (ML), as way to predict new phishing attacks. Traditional reputation- and fingerprint-based filters are only capable of identifying known threats based on blacklisted IPs or URLs. AI-based technologies can identify threats without a known signature, including highly dynamic phishing attacks that use a unique email and URL for each recipient. This helps prevent as many phishing emails as possible from reaching your users.

Prepare for the unexpected. No solution will ever block 100% of threats, so you need to prepare for the unexpected. A critical first step is end-user training so that employees can spot phishing emails. This requires augmenting structured training with on-the-fly, contextualized training tailored to specific bad behavior, such as clicking on a Microsoft phishing link.

Capture user feedback. Set up a closed-loop mechanism that captures end-user feedback to continually improve and reinforce the core AI engine. This feedback should also trigger automated remediation so that a threat reported by a user at one company can automatically be removed from the inboxes of users at other companies that receive the same threat.


Image: towfiqu ahamed, Getty Images/iStockphoto