Microsoft’s Security Intelligence team has issued an alert to Office 365 users and administrators to be on the lookout for a “crafty” phishing email with spoofed sender addresses.
Microsoft put out an alert after observing an active campaign targeting Office 365 organizations with convincing emails and several techniques to bypass phishing detection, including an Office 365 phishing page, Google cloud web app hosting, and a compromised SharePoint site that urges victims to type in their Office 365 credentials.
This phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters.
The original sender addresses contain variations of the word “referral” and use various top-level domains, including the domain com[.]com, popularly used by phishing campaigns for spoofing and typo-squatting. Typosquatting is the practice of registering domain names very similar to those of legitimate high-volume web sites in hopes of receiving traffic from users who mistakenly enter an incorrect URL in their browsers
Phishing continues to be a tricky problem for businesses to stamp out, requiring regularly updated phishing awareness training and technical solutions, such as multi-factor authentication on all accounts – which both Microsoft and CISA highly recommend.
Phishing is the key component of business email compromise (BEC) attacks, which cost Americans more than $4.2 billion last year, according to the FBI’s latest figures. It’s far more costly than high-profile ransomware attacks. BEC, which relies on compromised email accounts or email addresses that are similar to legitimate ones, are difficult to filter as they blend in with normal, expected traffic.
This phishing group is using Microsoft SharePoint in the display name to entice victims to click the link. The email poses as a “file share” request to access bogus “Staff Reports”, “Bonuses”, “Pricebooks”, and other content hosted in a supposed Excel spreadsheet. It also contains a link that navigates to the phishing page containing plenty of Microsoft branding.
While convincing Microsoft logos are littered across the email, the main phishing URL relies on a Google storage resource that points the victim to the Google App Engine domain AppSpot – a place to host web applications.
“The emails contain two URLs that have malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page,” Microsoft notes.
The second URL is embedded in the notifications settings links the victim to a compromised SharePoint site. Both URLs require sign-in to get to the final page, allowing the attack to bypass security sandboxes.
“This phishing operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages,” Microsoft notes.
Microsoft has been touting its ‘Safe Links’ Defender for Office 365 phishing protection that ‘detonates’ phishing email at the point a user clicks on a link that matches its list of known phishing pages.
For Office 365 users, enable 2FA (Multi-Factor Authentication) if you can. It can keep you from being tricked.
Deliver David's Tech Talk to my inbox
We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!