A widespread phishing campaign has been identified that uses a range of tricks to fool end users and spam filters, with the ultimate goal of stealing Office 365 credentials.

Office 365 credentials are extremely valuable. Phishers can use the compromised email accounts for conducting more extensive phishing attacks on an organization or for business email compromise scams. There is also a market for these credentials and they can be sold for big bucks to other threat groups such as ransomware gangs. Office 365 email accounts also contain a wealth of sensitive data that can easily be monetized.

This campaign involves a range of social engineering techniques to fool end users into believing the emails are genuine. Well-known productivity tools such as SharePoint are impersonated, with the emails claiming to be collaboration requests. Zoom has also been spoofed to make it appear that the recipient has been invited to attend a meeting. The emails include the correct logos, and closely resemble the genuine requests they impersonate.

The emails direct users to a phishing webpage where users are required to enter their Office 365 credentials. Those phishing pages include the correct Microsoft logo and styling and appear genuine, other than the URL of the page. The scammers have also used CAPTCHA verification pages that need to be completed to prove the user is a human rather than a bot. The CAPTCHA adds legitimacy to the campaign and gives an illusion of security, whereas the purpose is to prevent security solutions from identifying the phishing content.

After passing the CAPTCHA challenge, the user is presented with a fake Office 365 login prompt. After entering their credentials, they are presented with a fake error message and are prompted to re-enter the password. This additional step helps to ensure that the correct password is captured. After completing that step, the user is sent to a legitimate domain advising them that the email message has been released.

The campaign also abuses open redirects to fool end uses and security solutions. An open redirect is a legitimate tool that is commonly used in marketing campaigns, where companies want to track responses to email messages and direct users to specific landing pages. The URL to which the user initially tries to connect may be on a trusted domain, so if the user hovers their mouse arrow over the link, they may be convinced that the URL is genuine; however, the attackers then redirect users to a malicious URL, which is added as a parameter.

Anti-Phishing Demo
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo

Microsoft has detected more than 350 unique domains used in the campaign, including a variety of top-level domains from different countries, legitimate domains that have been compromised by the attackers with phishing content added, as well as domain-generated algorithm domains and free email domains.

The campaign incorporates several tricks to fool email security gateways, as well as a range of social engineering techniques to fool end users. It is likely that after being fooled into divulging their credentials, victims will be unaware that their credentials have been stolen.

The techniques used in this campaign highlight the importance of adopting a defense-in-depth approach. That means implementing overlapping layers of security to counter the multiple layers of deception. In addition to an advanced spam filtering solution such as SpamTitan, it is advisable to also implement a web filtering solution.

Web filters tackle phishing by preventing access to the malicious phishing domains used in these campaigns. If a phishing email evades the email security gateway, the web filter provides time-of-click protection and can block the attempt to visit the phishing webpage. Instead of allowing the user to access the phishing page they will be redirected to a local block page. These measures should be combined with end user training to raise awareness of the risk of phishing and to help employees identify malicious -or potentially malicious – emails. It is also recommended to implement multi-factor authentication on Office 365 email accounts.

If you want to improve your defenses against phishing attacks or have any questions about spam filtering or web filtering, give the TitanHQ team a call today. The SpamTitan Email Security and WebTitan Web Security solutions are both available on a free trial to allow you to see for yourself how effective they are at blocking threats and how easy they are to use.