[German]A short note for administrators of Office365 installations. A phishing campaign has been identified that aims to capture the credentials of Office365 administrators.
Advertising
I became aware of the issue through various sources such as the following tweet with reference to the bleeping computer article or through threatpost.com.
Phishing-Kampagne zielt auf Office 365-Admins mit einer Mail, die aussieht, als käme sie von Microsoft und Betreffs wie „Action required" oder „We placed a hold on your account" nutzt https://t.co/aZDXkLROV3 ^RW
— Trend Micro Deutschland (@TrendMicroDE) November 19, 2019
Security experts at PhishLabs are alerting administrator of Office 365 installations. They discovered a phishing email campaign that abuses real Office 365 accounts at existing businesses to send phishing mails. As a result, these phishing emails may not be filteres within SPAM filters, they will be delivered to the administrators.
According to Michael Tyler of PhishLabs, a security vendor specializing in enterprise protection, cybercriminals are trying to compromise Microsoft Office 365 administrative accounts through this approach. Here is an email from a phishing campaign intercepted by PhishLabs.
(Phishing-Mail, Source: PhishLabs)
The links then directs the user to a deceptively faked phishing site that displays the Office365.com login dialogs, but intercepts any credentials typed in and forwards them to the phishers.
Advertising
(Screenshot of a Phishing site, Source PhishLabs, Click to zoom)
If they manage to capture the credentials of an Office365 administrator account, they use those accounts to send more phishing emails to other recipients. The background: the cybercriminals want to ensure that their phishing emails come from legitimate, validated domains.
Admins as a particularly lucrative target
For threat actors, administrator accounts are a lucrative target for phishing administrative credentials for a variety of reasons.
- Office 365 administrators initially have administrative control over all email accounts in a domain. Depending on the current configuration of the Office 365 instance, a compromised admin account can allow you to retrieve user e-mail or take over other e-mail accounts in the domain.
- In addition, Office 365 administrators often work with elevated privileges for other systems within an organization. This may allow additional accounts to be compromised by password reset attempts or abuse of single sign-on systems.
- Finally, attackers can create new accounts within the organization by compromising an admin account. This allows single sign-on systems to be abused, or the reputation of the compromised domain can be used for a new wave of further attacks.
According to PhishLabs, this particular tactic on the latter point was confirmed as part of the campaign to send phishing baits from multiple validated domains. PhishLabs gives in its article hints how the phishing mails can be detected – so that SPAM filters can be configured accordingly. Administrators are also encouraged to consider mails as potentially compromised, even if they come from legitimate domains. Often it can be seen from the sender or the text that something is not kosher. At the latest, the URL of the 'login page' should differ from the Microsoft Office365.com login addresses (URLs).
