The lockdown imposed due to COVID-19 has forced employees to abandon the office and work from home, with contact maintained using communications solutions such as Skype, Slack, and Zoom. Unsurprisingly the huge increase in use of these platforms has created an opportunity for cybercriminals, who are using fake notifications from these and other communication and teleconferencing platforms as lures in phishing campaigns on remote workers.
Several campaigns have been identified that take advantage of the popularity of these platforms. One campaign has recently been identified that uses Skype branding advising users that they have pending notifications. The emails are personalized and include the Skype username and have a review button for users to click to review their notifications. These emails very closely resemble the genuine emails sent to users by Skype. The emails also appear, at first glance, to have been sent from a genuine address.
The link supplied in the email directs the recipient to a hxxps website that has Skype in the domain name. Since the connection between the browser and the website is encrypted, it will display the green padlock to show that the connection is secure, as is the case on the genuine Skype domain. The webpage includes Skype branding and the logo of the company being targeted and states that the webpage has been set up for authorized use by employees of the company. The username of the victim is automatically added to the login page, so all that is required is for a password to be entered.
This campaign was identified by Cofense, which received multiple reports from business users about the emails, which bypassed Microsoft Exchange Online Protection (EOP) and were delivered to Office 365 inboxes.
A Zoom campaign has also been identified that uses similar tactics. Zoom is one of the most popular lockdown teleconferencing apps and has been recommended by many businesses for use by employees to maintain contact during the lockdown. The platform has also proven popular with consumers and now has more than 300 million users.
In this campaign, Zoom meeting notifications are sent to targets. As is common with phishing campaigns, the attackers generate fear and urgency to get the targets to respond quickly without scrutinizing the messages. This campaign advises the recipients to login to a meeting with their HR department regarding their job termination. Clicking the link will similarly direct users to a fake login page where they are required to enter their credentials. The landing page is a virtual carbon copy of the official Zoom login page, although the only parts of the page that work are the username and password fields. This campaign was identified by Abnormal Security, which reports that around 50,000 of these messages were delivered to Office 365 accounts and bypassed EOP.
The phishing emails are credible, the webpages that users are directed to look genuine, and many people will be fooled by the emails. Security awareness training will help to condition employees to question emails such as these, but given the number of messages that are bypassing Microsoft’s EOP, businesses should also consider adding an additional layer of email security to their Office 365 accounts.
This is an area where TitanHQ can help. SpamTitan Cloud does not replace EOP for Office 365, it allows businesses to add an extra layer of protection on top to provide extra protection from zero-day attacks. SpamTitan Cloud blocks spam, phishing, and malware laced emails that would otherwise be delivered to Office 365 inboxes.
SpamTitan Cloud is quick and easy to implement and can protect your Office 365 accounts in a matter of minutes. Since the solution is available on a free trial, you will be able to evaluate the difference it makes and see how many malicious messages it blocks before committing to a purchase.
For further information on improving your phishing defenses, give the TitanHQ team a call today.