Office 365 phishing attacks are commonplace, highly convincing, and Office 365 spam filtering controls are easily being bypassed by cybercriminals to ensure messages reach inboxes. Further, phishing forms are being hosted on webpages that are secured with valid Microsoft SLL certificates to convince users the websites are genuine.
Office 365 Phishing Attacks Can Be Difficult to Identify
In the event of a phishing email making it past perimeter defenses and arriving in an inbox, there are several tell-tale signs that the email is not genuine.
There are often spelling mistakes, incorrect grammar, and the messages are sent from questionable senders or domains. To improve the response rate, cybercriminals are now spending much more time carefully crafting their phishing emails and they are often virtually indistinguishable from genuine communications from the brand they are spoofing. In terms of formatting, they are carbon copies of genuine emails complete with the branding, contact information, sender details, and logos of the company being spoofed. The subject is perfectly believable and the content well written. The actions the user is requested to take are perfectly plausible.
Hyperlinks are contained in emails that direct users to a website where they are required to enter their login credentials. At this stage of the phishing attack there are usually further signs that all is not as it seems. A warning may flash up that the website may not be genuine, the website may start with HTTP rather than the secure HTTPS, or the SSL certificate may not be owned by the company that the website is spoofing.
Even these tell-tale signs are not always there, as has been shown is several recent Office 365 phishing attacks, which have the phishing forms hosted on webpages that have valid Microsoft SSL certificates or SSL certificates that have been issued to other cloud service providers such as CloudFlare, DocuSign, or Google.
Microsoft Azure Blog Storage Phishing Scam
One recent phishing scam uses Azure blob storage to obtain a valid SSL certificate for the phishing form. Blob storage can be used for storing a variety of unstructured data. While it is possible to use HTTP and HTTPS, the phishing campaign uses the latter, which will show a signed SSL certificate from Microsoft.
In this campaign, end users are sent an email with a button that must be clicked to view the content of a cloud-hosted document. In this case, the document appears to be from a Denver law firm. Clicking the button directs the user to an HTML page hosted on Azure blog storage that requires Office 365 credentials to be entered to view the document. Since the document is hosted on Azure blob storage, a Microsoft service, it has a valid SSL certificate that was issued to Microsoft adding legitimacy to the scam.
Entering login credentials into the form will send them to the attackers. The user will then be directed to another webpage, most likely unaware that they have been phished.
CloudFlare IPFS Gateway Abused
A similar campaign has been detected that abuses the CloudFlare IPFS gateway. Users can access content on the IPFS distributed file system through a web browser. When connecting to this gateway through a web browser, the HTML page will be secured with a CloudFlare SSL certificate. In this case, the login requires information to be entered including username, password, and recovery email address and phone number – which will be forwarded to the attacker, while the user will be directed to a PDF file unaware that their credentials have been stolen.
Office 365 Phishing Protections are Insufficient
Office 365 users are being targeted by cybercriminals as they know Office 365 phishing controls can be easily bypassed. Even with Microsoft’s Advanced Threat Protection for Office 365, phishing emails are still delivered. A 2017 study by SE Labs showed even with this additional anti-phishing control, Office 365 anti-phishing measures were only rated in the low-middle of the market for protection. With only the basic Exchange Online Protection, the protection was worse still.
Whether you run an SMB or a large enterprise, you are likely to receive high volumes of spam and phishing emails and many messages will be delivered to end users’ inboxes. Since the emails can be virtually impossible for end users to identify as malicious, it is probable that all but the most experienced, well trained, security conscious workers will be fooled. What is therefore needed is an advanced third-party spam filtering solution that will work alongside Office 365 spam filtering controls to provide far greater protection.
How to Make Office 365 More Secure
While Office 365 will block spam emails and phishing emails (Osterman Research showed it blocks 100% of known malware), it has been shown to lack performance against advanced phishing threats such as spear phishing.
Office 365 does not have the same level of predictive technology as dedicated on-premises and cloud-based email security gateways which are much better at detecting zero-day attacks, new malware, and advanced spear phishing campaigns.
To greatly improve protection what is needed is a dedicated third-party spam filtering solution for Office 365 such as SpamTitan. SpamTitan focuses on defense in depth, and provides superior protection against advanced phishing attacks, new malware, and sophisticated email attacks to ensure malicious messages are blocked or quarantined rather than being delivered to end users’ inboxes. Some of the additional protections provided by SpamTitan against Office 365 phishing attacks are detailed in the image below: