When your go-to productivity applications start getting caught up in phishing scams, it makes you take a step back and wonder whether any vendor’s application is truly safe without a third-party security service. Microsoft has been facing a lot of heat from the hackers, be it the Hafnium group or the Dark Halo group. Another Office365 phishing case is currently active, this time targeting new CEOs. Through credential harvesting, this new phishing scam is zeroing in on executives in the financial and insurance sectors.
After getting illegal access to the credentials of top-level execs, the hackers are launching BEC attacks. These hackers are sharp, and can find ways past Microsoft’s inherent email security measures.
“By targeting the financial departments of these companies, the attackers could potentially gain access to sensitive data of third parties through invoices and billing, commonly referred to as a BEC (Business Email Compromise) attack,” security researchers reported on investigating the attacks. “This enables the attackers to send forged invoices from legitimate email addresses to suppliers, resulting in payments being made to attacker-owned accounts.”
Studying the Office365 Phishing methodology
Unlike a majority of phishing attacks, these Office365 phishing attacks aren’t targeted towards a wide pool of victims. They are specific, and are intended towards particularly those CEOs who are newly transitioning into the executive role. When an employee rises to an CXO position, a lot of changes take place, including upgrading their payroll, formalizing their processes, and updating internal systems. During these periods, the company is in a volatile state. People are more focused on the strategic and operational changes coming up ahead, and security can take a backseat.
So how does the O365 phishing attack begin? The hackers have varying methods to escape detection. In one style of attack, hackers send their victims spoofed emails, prodding them to upgrade their Office365 version. The emails originate from valid-looking Microsoft domains, making it seem like Microsoft has itself initiated the conversation for an authentic system upgrade.
What’s interesting is that the hackers have installed valid SPF records in their DNS entries, thus bypassing preliminary email authentication checks.
“In an effort to further avoid detection, the threat actors leveraged their Microsoft-imposter domains in the phishing attacks not long after they were registered,” a security report elaborated. “This quick domain registration turnaround is a common tactic employed by scammers hoping to bait as many victims as possible before their newly registered domains are identified as phishing infrastructure.”
In another style of attack, instead of spoofing Microsoft-related emails, hackers spoof email address of the employees and colleagues working with the CEO, so that she / he will not suspect a phishing scam.
The messaging is similar in these emails and the objective remains that the CEO should click on an Apply Updates button in the email.
Naturally, the button takes the user to a dummy Office365 login page, carefully disguised as Microsoft’s own page. Here the victim is asked to enter their credentials before the update can begin, thus harvesting Office365 credentials. Furthermore, if the victim had used the same set of credentials anywhere else, that would be compromised as well.
The hackers are using these credentials to launch further BEC attacks, sometimes using the CEO’s credentials to send fake invoices to buyers with their own bank account details on the invoice.
5 Steps for protection against email phishing
You may or may not work in the finance or insurance domains, but once a big player like Microsoft falls prey to a phishing attack, it sets off a chain reaction of further phishing attacks.
To prevent Office365 phishing in your own organization, we recommend 5 actionable steps for you to take:
1. Change the passwords of your Office365 systems for good measure. If you are using the same set of credentials anywhere else, change it at once.
2. Implement DMARC so nobody would be able to send emails by borrowing your domain. This would prevent someone spoofing your colleagues’ email ID and sending you fake emails on their behalf. DMARC authenticates using identity alignment, so the presence of an SPF record won’t cut it for the hacker.
3. Enable multi-factor authentication for all your sign-on services.
4. Know better, protect better. Read these complete guides for concrete actionable steps on online security:
5. Protect your systems with an additional layer of security. Don’t rely on the vendor’s in-built security mechanisms. When it comes to email, Logix has two top-notch email threat prevention services, designed to battle against the most advanced of threats:
For any assistance on online security, reach out to us with your queries and we will do our best to help you out.