Office 365 Phishing Emails Masquerade as Non-Delivery Notifications

campaign is to obtain users’ Office 365 passwords.

The phishing campaign was detected by ISC Handler Xavier Mertens and the campaign appears to still be active.

The phishing emails closely resemble legitimate Office 365 non-delivery notifications and include Office 365 branding. As is the case with official non-delivery notifications, the user is alerted that messages have not been delivered and told that action is required.

The Office 365 phishing emails claim that “Microsoft found Several Undelivered Messages” and attributes the non-delivery to “Server Congestion.” The emails ask the sender to retype the recipient’s email address and send the message again, although conveniently they include a Send Again button.

If users click the Send Again button, they will be directed to a website that closely resembles the official Office 365 website and includes a login box that has been auto-populated with the user’s email address.

If the password is entered, a JavaScript function sends both the email address and password to the scammer. The user will then be redirected to the genuine outlook.office365.com website where they will be presented with a real Office 365 login box.

While the Office 365 phishing emails and the website look legitimate, there are signs that all is not what it seems. The emails are well written and the sender’s email – postmaster@us.ibm.com – looks official but there is irregular capitalization of the warning message: Something that would not occur on an official Microsoft notification.

The clearest sign that this is a phishing scam is the domain to which users are directed if they click on the Send Again button. It is not an official Microsoft domain (agilones.com).

While the error in the email may be overlooked, users should notice the domain, although some users may proceed and enter passwords as the login box is identical to the login on the official Microsoft site.

The campaign shows just how important it is to carefully check every message before taking any action and to always check the domain before disclosing any sensitive information.

Scammers use Office 365 phishing emails because so many businesses have signed up to use Office 365. Mass email campaigns therefore have a high probability of reaching an Outlook inbox. That said, it is easy to target office 365 users. A business that is using Office 365 broadcasts it through their public DNS MX records.

Businesses can improve their resilience to phishing attacks through mandatory security awareness training for all employees. Employees should be told to always check messages carefully and should be taught how to identify phishing emails.

Businesses should also ensure they have an advanced spam filtering solution in place. While Microsoft does offer anti-phishing protection for Office 365 through its Advanced Threat Protection (APT) offering, businesses should consider using a third-party spam filtering solution with Office 365.

SpamTitan provides superior protection against phishing and zero-day attacks, an area where APT struggles.

Irish Phishing Study Shows Millennials’ Confidence in Security Awareness is Misplaced

According to a recent Irish phishing study, as many as 185,000 office workers in the country have fallen victim to phishing scams.

Phishing is a method used by cybercriminals to obtain sensitive information such as login credentials, financial information, and other sensitive data. While phishing can take place over the phone, via messaging platforms or by text message, email is most commonly used.

Messages are sent in bulk in the hope that some individuals will respond, or campaigns can be much more targeted. The latter is referred to as spear phishing. With spear phishing attacks, cybercriminals often research their victims and tailor messages to maximize the probability of them eliciting a response.

A successful phishing attack on employees can see them disclose their email credentials which allows their accounts to be accessed. Then the attackers can search emails accounts for sensitive information or use the accounts to conduct further phishing attacks on other employees. When financial information is disclosed, business bank accounts can be emptied.

Businesses can suffer major financial losses as a result of employees responding to phishing emails, the reputation of the business can be damaged, customers can be lost, and there is also a risk of major regulatory fines.

Irish Phishing Study Findings

The Irish phishing study was conducted on 500 Irish office workers by the survey consultancy firm Censuswide. Respondents to the Irish phishing study were asked questions about phishing, whether they had fallen for a phishing scam in the past, and how they rated their ability to identify phishing attacks.

In line with findings from surveys conducted in other countries, 14% of respondents said they had been a victim of a phishing attack. There were also marked differences between different age groups.  Censuswide analyzed three age groups: Millennials, Gen X, and baby boomers. The latter two age groups were fairly resistant to phishing attempts. Gen X were the most phishing-savvy, with just 6% of respondents in the age group admitting to having been fooled by phishing emails in the past, closely followed by the baby boomer generation on 7%. However, 17% of millennials admitted having fallen for a phishing scam – The generation that should, in theory, be the most tech-savvy.

Interestingly, millennials were also the most confident in their ability to recognize phishing attempts. 14% of millennials said they would not be certain that they could detect fraud, compared to 17% of Gen X, and 26% of baby boomers.

It is easy to be confident about one’s ability to spot standard phishing attempts, but phishing attacks are becoming much more sophisticated and very realistic. Complacency can be very dangerous.

Phishing Protection for Businesses

The results of the Irish phishing study make it clear that businesses need to do more to protect themselves from phishing attacks. Naturally, an advanced spam filtering solution is required to ensure that employees do not have their phishing email identification skills put to the test constantly. SpamTitan, for instance, blocks more than 99.9% of spam and phishing emails, thus reducing reliance on employees’ ability to identify scam emails.

The Irish phishing study also highlights the importance of providing security awareness training to employees. The study revealed 44% of the over 54 age group had opened an attachment or clicked on a link in an email from an unknown sender, as had 34% of millennials and 26% of the Gen X age group. Alarmingly, one in five respondents said that their employer had not provided any security awareness training whatsoever.

Employees need to learn how to identify scams, so security awareness training must be provided. Since cybercriminals’ tactics are constantly evolving, training needs to be continuous. Annual or biannual training sessions should be provided, along with shorter refresher training sessions. Businesses should also consider conducting phishing email simulations to test resilience to phishing attacks and highlight weak links.

To be effective, anti-phishing training needs to be provided to all employees and requires buy-in from all departments. Unless that happens, it will be difficult to develop a culture of security awareness.

How to Improve Office 365 Security

In this post we offer four simple steps to take to improve Office 365 security and make it harder for hackers and phishers to gain access to users’ accounts.

Hackers are Targeting Office 365 Accounts

It should come as no surprise to hear that hackers are targeting Office 365 accounts. Any software package that has 155 million global users is going to be a target for hackers, and with the number of users growing by an astonishing 3 million a month, Office 365 accounts are likely to be attacked even more frequently.

One study this year has confirmed that to be the case. There has been a 13% increase in attempts to hack into Office 365 email accounts this year, and many of those attacks succeed. You should therefore take steps to improve Office 365 security.

Hackers themselves are paying for Office 365 and are probing its security protections to find vulnerabilities that can be exploited. They also test their phishing emails on real office 365 accounts to find out which ones bypass Microsoft’s anti-phishing protections.

When emails have been developed that bypass Microsoft’s anti-phishing protections, mass email campaigns are launched on Office 365 users. Businesses using Office 365 can easily be found and targeted because it is made clear that they use Office 365 through public DNS MX records.

So how can you improve office 365 security and make it harder for hackers? If you take the four steps below, you will be able to greatly improve Office 365 security and thwart more attacks.

Enforce the Use of Strong Passwords

Hackers often conduct brute force attacks on Office 365 email accounts so you need to develop a strong password policy and prevent users from setting passwords that are easy to brute force. You should not allow dictionary words or any commonly used weak passwords, that otherwise meet your password policy requirements – Password1! for instance.

The minimum length for a password should be 8 characters but consider increasing that minimum. A password of between 12 and 15 characters is recommended. Make sure you do not set a too restrictive maximum number of characters to encourage the use of longer passphrases. Passphrases are harder to crack than 8-digit passwords and easier for users to remember. To make it even easier for your users, consider using a password manager.

Implement Multi-Factor Authentication

Even with strong passwords, some users’ passwords may be guessed, or users may respond to phishing emails and disclose their password to a scammer. An additional login control is therefore required to prevent compromised passwords from being used to access Office 365 accounts.

Multi-factor authentication is not infallible, but it will help you improve Office 365 security. With MFA, in addition to a password, another method of authentication is required such as a token or a code sent to a mobile phone. If a password is obtained by a hacker, and an attempt is made to login from a new location or device, further authentication will be required to access the account.

Enable Mailbox Auditing in Office 365

Mailbox auditing in Office 365 is not turned on by default so it needs to be enabled. You can set various parameters for logging activity including successful login attempts and various mailbox activities. This can help you identify whether a mailbox has been compromised. You can also logs failed login attempts to help you identify when you are being attacked.

Improve Office 365 Security with a Third-Party Spam Filter

As previously mentioned, hackers can test their phishing emails to find out if they bypass Office 365 anti-phishing controls and your organization can be identified as using Office 365. To improve Office 365 security and reduce the number of phishing emails that are delivered to end users’ inboxes, consider implementing a third-party spam filter rather than relying on Microsoft’s anti-phishing controls. Dedicated email security vendors, such as TitanHQ, offer more effective and more flexible anti-spam and anti-phishing solutions than Microsoft Advanced Threat Protection at a lower cost.

Office 365 Spam Filtering Controls Failed to Prevent Costly Malware Infection

A U.S. school system had Office 365 spam filtering controls in place and other cybersecurity solutions installed, but still experienced a costly 6-week malware infection. In this post we explore what went wrong and how you can improve security in your organization.

Multi-Layered Defenses Breached

If you want to mount a solid defense and prevent hackers from gaining access to your networks and data, multi-layered cybersecurity defenses are required, but for one Georgia school district that was not enough. On paper, their defenses looked sound. Office 365 spam filtering controls had been applied to protect the email system, the school district had a firewall appliance protecting the network, and a web filter had been installed to control what users could do online. Endpoint security had also been installed.

The school district was also updating its desktops to Windows 10 and its servers to Windows Server 2012 or later. Everything looked nice and secure.

However, the transportation department delayed the upgrades. The department was still sharing files on a local Windows 2003 server and some of the desktops were still running Windows XP, even though support for the OS had long since ended. The outdated software and lack of patching was exploited by the attackers.

How Was the Malware Installed?

The investigation has not yet determined exactly how the attack was initiated, but it is believed that it all started with an email. As a result of the actions of an end user, a chain of events was triggered that resulted in a 6-week struggle to mitigate the attack, the cost of which – in terms of time and resources – was considerable.

The attack is believed to have started on a Windows XP machine with SMBv1 enabled. That device had drives mapped to the Windows 2003 server. The malware that was installed was the Emotet Trojan, which used the EternalBlue exploit to spread across the network to other vulnerable devices. The attackers were able to gain control of those devices and installed cryptocurrency mining malware.

The cryptocurrency mining slowed the devices to such an extent that they were virtually unusable, causing many to continually crash and reboot. The network also slowed to a snail’s pace due to the streams of malicious traffic. While the upgraded Windows 10 machines were not affected initially, the attackers subsequently downloaded keyloggers onto the compromised devices and obtained the credentials of an IT support technician who had domain administration rights. The attackers then used those privileges to disable Windows Defender updates on desktops, servers, and domain controllers.

Over the course of a week, further Trojan modules were downloaded by creating scheduled tasks using the credentials of the IT support worker. A spam module was used to send malicious messages throughout the school district and several email accounts were compromised as a result and had malware downloaded. Other devices were infected through network shares. The TrickBot banking Trojan was downloaded and was used to attack the systems used by the finance department, although that Trojan was detected and blocked.

Remediation Took 6 Weeks

Remediating the attack was complicated. First the IT department disabled SMBv1 on all devices as it was not known what devices were vulnerable. Via a Windows Group Policy, the IT team then blocked the creation of scheduled tasks. Every device on the network had Windows Defender updates downloaded manually, and via autoruns for Windows, all processes and files run by the Trojan were deleted. The whole process of identifying, containing, and disabling the malware took 6 weeks.

The attack was made possible through an attack on a single user, although it was the continued use of unsupported operating systems and software that made the malware attack so severe.

The attack shows why it is crucial to ensure that IT best practices are followed and why patching is so important. For that to happen, the IT department needs to have a complete inventory of all devices and needs to make sure that each one is updated.

While Microsoft released a patch to correct the flaw in SMBv1 that was exploited through EternalBlue, the vulnerable Windows XP devices were not updated, even though Microsoft had released an update for the unsupported operating system in the spring of 2017.

Additional Protection is Required for Office 365 Inboxes

The attack also shows how the actions of a single user can have grave repercussions. By blocking malicious emails at source, attacks such as this will be much harder to pull off. While Office 365 spam filtering controls block many email-based threats, even with Microsoft’s Advanced Threat Protection many emails slip through and are delivered to inboxes.

Hackers can also see whether Office 365 is being used as it is broadcast through DNS MX records, which allows them to target Office 365 users and launch attacks.

Due to the additional cost of APT, the lack of flexibility, and the volume of malicious emails that are still delivered to inboxes, many businesses have chosen to implement a more powerful spam filtering solution on top of Office 365.

One such solution that has been developed to work seamlessly with Office 365 to improve protection against email threats is SpamTitan.

You can find out more about how SpamTitan improves protection for Office 365 in this article – Protecting Office 365 from Attack.

Sextortion Scams Now Combine Threat of Exposure with Multiple Malware Infections

Sextortion scams have proven popular with cybercriminals this year. A well written email and an email list are all that is required. The latter can easily be purchased for next to nothing via darknet marketplaces and hacking forums. Next to no technical skill is required to run sextortion scams and as scammers’ Bitcoin wallets show, they are effective.

Many sextortion scams use the tried and tested technique of threatening to expose a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is made. Some of the recent sextortion scams have added credibility by claiming to have users’ passwords. However, new sextortion scams have been detected in the past few days that are using a different tactic to get users to pay up.

The email template used in this scam is similar to other recent sextortion scams. The scammers claim to have a video of the victim viewing adult content. The footage was recorded through the victim’s webcam and has been spliced with screenshots of the content that was being viewed at the time.

In the new campaign the email contains the user’s email account in the body of the email, a password (Most likely an old password compromised in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see exactly what will soon be distributed via email and social media networks.

Clicking the link in the video will trigger the downloading of a zip file. The compressed file contains a document including the text of the email along with the supposed video file. That video file is actually an information stealer – The Azorult Trojan.

This form of the scam is even more likely to work than past campaigns. Many individuals who receive a sextortion scam email will see it for what it really is: A mass email containing an empty threat. However, the inclusion of a link to download a video is likely to see many individuals download the file to find out if the threat is real.

If the zip file is opened and the Azorult Trojan executed, it will silently collect information from the user’s computer – Similar information to what the attacker claims to have already obtained: Cookies from websites the user has visited, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank credentials.

However, it doesn’t end there. The Azorult Trojan will also download a secondary payload: GandCrab ransomware. Once information has been collected, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will depend on those files having been backed up and not also encrypted by the ransomware. Aside from permanent file loss, the only other alternative will be to pay a sizeable ransom for the key to decrypt the files.

If the email was sent to a business email account, or a personal email account that was accessed at work, files on the victim’s work computer will be encrypted. Since a record of the original email will have been extracted on the device, the reason why the malware was installed will be made clear to the IT department.

The key to not being scammed is to ignore any threats sent via email and never click links in the emails nor open email attachments.

Businesses can counter the threat by using cybersecurity solutions such as spam filters and web filters. The former prevents the emails from being delivered while the latter blocks access to sites that host malware.