Business Email Compromise (BEC) , Email Threat Protection , Fraud Management & Cybercrime

Phishing Campaign Used Fake Office 365 Update Messages

Area1 Researchers Say Fake Microsoft Messages Designed to Steal Credentials
Phishing Campaign Used Fake Office 365 Update Messages
An example of a PDF attachment used during the campaign that contained credential-harvesting malware (Source: Area 1)

A recent phishing scheme used fake Microsoft Office 365 update messages to target financial executives and others in an effort to harvest their credentials, according to the security firm Area 1.

See Also: A Matrix on Behavioral Biometrics and Device Fingerprinting

"We identified over 100 targeted individuals across 40 companies from numerous industry verticals," says Adin Drabkin, security researcher for Area 1. "Judging by the nature and diversity of targeting of this campaign, there are likely many more organizations outside of our scope that could have been targeted by these actors."

The phishing campaign, which ran from December through February, targeted specific employees based on their position and time on the job with the company, Area 1 researchers say. The attackers primarily targeted organizations in the financial services, insurance and retail sectors. They used malware to bypass Microsoft's native email defenses and authentication processes, according to the Area 1 report.

"Unlike the 'spray and pray' method often seen with these types of cybercriminal-driven credential-harvesting campaigns, this limited activity suggests a more targeted approach," the research team said.

The attackers sent well-crafted phishing emails portrayed as being about Office 365 updates to high-level executives and others with access to important credentials. The emails included a malicious attachment that could load data-harvesting malware.

The attackers used Microsoft-themed sender domains, which enabled them to bypass email authentication using PDF/HTM/HTML attachments. And they used advanced phishing kits, the report notes.

The campaign used nine domains; four were fakes, while the others were compromised legitimate URLs, the researchers determined.

"While we cannot attribute these campaigns with 100% certainty to a specific group or [determine] which exact phishing kit they may be using, there was evidence that the attackers leveraged Russia-based registration and hosting services for many of the sender domains," Adin says. "However, this could easily be a false flag used to stifle attribution."

The Targets

The researchers note that the majority of the phishing emails were sent to individuals in an organization's financial department because their credentials, if stolen, could have given the attackers access to a wide variety of sensitive information that they could use to further attack the organization, its customers or other third parties. The attackers also targeted C-suite members and their executive assistants.

Sometimes, the attackers attempted to single out newly appointed CEOs unfamiliar with a company's software update procedures, the researchers say.

Fake Updates

The phishing emails, offering a fake message about an Office 365 update, had the subject line "Important Service Changes," Area 1 says. To make the emails appear legitimate, they often had registered Microsoft-themed sender domains and included sender names of people who worked at the targeted company, the researchers say.

"The attackers also properly configured the [Sender Policy Framework] records for these domains to better ensure their messages passed email authentication. To further avoid detection, the threat actors leveraged their Microsoft-imposter domains in the phishing attacks not long after they were registered," the researchers say.

The fake "update" was usually stored in a malicious attachment. The attachment had instructions on initiating the process or simply included an "Apply Now" icon. Area 1 describes the attackers' phishing kit as highly advanced and capable of avoiding Microsoft Office 365 and other email defenses.

Avoiding the native email defenses was accomplished by the credential-harvesting malware automatically being loaded into the victim's browser after the victim opened the attached file.

The attackers tried to avoid detection by using the JavaScript escape function to encode the HTML that loads the malicious web page. Once the code was unescaped, the attackers used an HTML "meta" refresh to direct the victim's browser to load the credential-harvesting malware, the researchers say.

Harvesting Credentials

The malware then pushed the victim's browser through a series of HTTP and client-side redirects via JavaScript or Meta fields. This eventually led to what the researchers described as an official-looking Microsoft-themed privacy policy statement with a message to accept it.

If the recipient clicked on accept, they were linked to a spoofed Office 365 login page and asked to enter their email address. A password was then requested after the malware checked to make sure the address was real, the researchers say.

The harvesting malware used WebSockets to send screenshots back to the attackers to enable them to harvest credentials.

Microsoft Exchange Issues

The phishing campaign, which ended in February, came as attackers were exploiting unpatched flaws in on-premises Microsoft Exchange email servers.

On March 2, Microsoft issued emergency patches for four zero-day vulnerabilities. The flaws have been exploited to deliver ransomware, including Black Kingdom .

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.