Alert: Tailored Office 365 Phishing Attacks
Our researchers recently observed a new trend in phishing email campaigns that is worth sharing here. We all know how almost 20% of the phishing emails out there are faking Microsoft login pages, aiming to steal Office 365 credentials. Some of you may even be careful when getting an email that links to a Microsoft login webpage, suspecting it might be a phishing scam. You’re definitely right about this one! But, would you ever suspect a Microsoft login page that uses your corporate logo, branding and URL? This is what hackers started doing recently, to fool both end-users and email security engines.
The New Way of Stealing Office 365 Credentials
Traditionally, phishing attacks that lure users into entering their Microsoft credentials use fake generic O365 login-pages with a Microsoft logo that look like this one:
The new method includes the following elements that, together, make it almost impossible to notice that this is not the real brand’s login page:
1. The targeted organization’s logo. The organization’s logo is injected into the O365 login page. Not only that this helps the fake page look more real to users, it also makes it harder for phishing detection engines that are based on reputation or image analysis to detect it. The fake login page would look like this:
2. The targeted organization’s domain URL in the link the user sees (it will later on redirect to the phishing URL). The majority of phishing attacks use an original URL that redirects to the malicious URL. This is done as a basic technique to bypass phishing detection engines as well as suspicious users. In these tailored attacks, the hackers use the organization’s name in an original URL so it contains the domain name of the targeted organization. As you can see in the screenshot, they typically insert the victim’s organization name in the beginning of the URL so that’s what the users see when they hover over the link or click it. This way, they are less likely to think it is ungenuine.
3. The target organization’s branding or look and feel in the background. In case the two techniques that I described above are not convincing enough, some attackers take it to the next level and use a background that fits the victim’s branding. This could be some kind of an image or a branded background that is available online.
4-fold Increase in The Prevalence of Such Attacks
In the past couple of months, we noticed a dramatic increase in the prevalence of these attacks among BitDam customers. In fact, the prevalence of such attacks in August was more than 400% of the prevalence in July. The trend continued in September with an additional slight increase and keeps going on as I write this post. This implies that these campaigns use some kind of automated tools that were published recently.
We detected these tailored Office 365 phishing attacks in organizations of all sizes, including both small businesses of a few dozens of users and large corporates. This strengthens our assumption that faking these login pages is automated and that there are new phishing kits that allow using the above techniques easily.
The emails that lure victims into clicking the link that would take them to their Office 365 account vary as well. Many of them include a notification saying that there is a voice message waiting for them, some use the excuse of Office 365 password expiration, some say that you’ve failed to receive a message from tax authorities and so on. If victims take the bait and click the link, they are then redirected to what looks like their organization’s Office 365 login page but is actually a phishing page aiming to steal their credentials.
Phishing scammers’ lives are much easier these days. In the past, bad actors had to work hard in order to build such a customized phishing attack, and these were typically saved for the big fish. Nowadays, all they need is to search online for the newest toolkits and they can spray it all over.
Unfortunately, this makes the lives of both the organizations aiming to protect their employees and assets, and the security vendors that help them doing so, much more difficult. In order to protect from such threats, as well as other emerging phishing techniques, organizations need to make sure their email security can protect from any phishing attack and technique, even the ones that are yet not known or commonly used. In these cases, reputation-based security solutions or the ones based on signatures, would not help, as these attacks are customised per organization and can’t be updated at the needed pace. Thanks to its unique attack-agnostic approach, BitDam ATP detected these threats at first encounter, when they’ve just emerged and without any changes to its detection mechanism.
While BitDam ATP identified these phishing attacks and blocked them before they reached the users’ mailboxes, the phishing method described in this post is going below the radar of most Advanced Threat Protection solutions, including Microsoft’s Office ATP. I recommend testing your email security against these attacks as well as others to better understand your security posture. You may do this using Breach & Attack Simulation tools such as BitDam Lucky Meter.
If you found this blog post interesting, you might also like my previous alert on the use of CAPTCHA as a phishing evasion technique.
*The images in this blog post are illustrated and are not related to any attacks.