Microsoft Again Most Spoofed as Office 365 Phishing Evolves

Microsoft is No. 1 again—for all the wrong reasons. The latest “Phishers’ Favorites” report, which highlights brands with the most unique phishing URLs detected by Vade Secure, ranked Microsoft the top impersonated brand in phishing attacks. Microsoft has retained this spot for four straight quarters.

Cloud services overall was the most impersonated industry in phishing attacks, with 42% of all phishing URLs. PayPal, even with its 250 million active users and position as the No. 1 online payment service in the world, consistently ranks below Microsoft in the quarterly report. This is thanks to the popularity of Office 365 among businesses. With Microsoft owning the cloud email market, we expect this trend to continue and we expect phishers to continue honing their techniques for infiltrating Office 365.

When Phishing and Spear Phishing Collide

According to the FBI’s latest Internet Crime Report, phishing cost U.S. victims more than $48 million in 2018, while business email compromise (BEC), a form of spear phishing, cost U.S. businesses a staggering $1.2 billion. The two tactics combined represent a multiphase attack that begins with a credential-harvesting phishing email and evolves into insider spear phishing attacks. It’s is a popular entryway into Office 365, where businesses store sensitive data in SharePoint, OneDrive and other Office 365 applications.

The level of sophistication in the latest Office 365 attacks is alarming, and without the proper phishing awareness training, the average user will not recognize a phishing attempt. Once a hacker is inside Office 365 and using a legitimate email address, spear phishing is all but unrecognizable.

Evolution of a Multiphase Attack

A multiphase attack begins with a phishing email and evolves from Microsoft impersonation to personalized spear-phishing emails launched from within Office 365. A common scenario involves an action-required email that instructs users to log in to their Office 365 account, either to retrieve a shared file from OneDrive or SharePoint, to update account their account information or to log back into their account to regain access the platform.

There are other methods for harvesting credentials on a phishing page, but the above are some of the most common. The phishing pages are highly sophisticated replicas of Microsoft web pages, complete with the login interface, brand logos and images and footers.

Once the victim has entered their Microsoft credentials, the hacker can work within Office 365 using a corporate email address. They then use spear phishing emails to conduct insider attacks. Below are just a few examples of their tactics:

  • Office 365 credential harvesting: Emailing other employees and asking for Office 365 account credentials. The hacker can then impersonate additional employees using legitimate email addresses.
  • Human resources spear phishing: Requesting human resources staff to change direct deposit account information, either for themselves or for a vendor. Often, hackers will convince staff that they’re locked out of their accounts and can’t make the change themselves. Or, the hacker impersonates an executive, which makes the victim act fast and ensures a higher payout.
  • Business email compromise: Impersonates high-ranking employees, such as CEOs and CFOs, requesting wire transfers. This attack typically begins with pretexting, a social engineering tactic that involves several emails designed to identify the right victim and gain their trust.

Why Multiphase Attacks Are Successful

Many businesses can go weeks, and even months, before they realize Office 365 has been breached. Once inside Office 365 using legitimate credentials, hackers can send any number of emails to victims to keep them at bay. In some cases, businesses lose millions of dollars and see additional instances of email fraud in the interim. In a recent example, New Brunswick Catholic Parish in Ohio lost $1.7 million in a spear phishing attack. After the church’s Office 365 account was compromised, hackers convinced an employee to change a vendor’s bank account information and wire payments into a fraudulent account. The church was unaware of the breach until the vendor contacted the church to inquire about missed payments.

Although it’s unclear how the church Office 365 account was compromised, multiphase attacks start with a phishing email. New obfuscation techniques make sophisticated phishing emails extremely difficult to detect. For example, hackers include clean URLs in the email, in addition to the phishing URL. Many email filters are fooled by clean links—if some of the URLs are clean, the email will bypass the filter. This is one of the downsides of reputation-based threat detection.

Additionally, some phishing emails don’t include a phishing URL at all: hackers use a real Microsoft URL and then time-bomb the link—creating a redirect after the email has been successfully delivered. In some cases, phishers redirect victims to legitimate Microsoft webpages after the credential harvesting is complete, putting the victim at ease. Email filters that are simply scanning for known phishing URLs have no recourse against either tactic. Finally, when it comes to spear phishing from within Office 365, an employee would have no reason to suspect that an internal email is illegitimate. Under the right circumstances, employees will do what they’re asked by a superior.

Preventing Attacks

Despite the sophistication of multiphase attacks, it’s not impossible to prevent them. Employee awareness is critical. If a phishing email bypasses a filter, it’s up to employees to spot the attack. Hovering over links in an email to see where the link leads is just one way to spot phishing URLs. They should also check for redirects and email shorteners, such as Bitly and TinyURL. Additionally, employees should always carefully scrutinize the sender email address, which is often hidden on mobile phones in favor of the from alias (which can be easily changed by hackers).

Finally, look beyond reputation and fingerprint-based email filters, which identify only known threats. Artificial intelligence, including machine learning, goes beyond simply scanning for links. Analyzing both the content and context of emails, it looks for URL obfuscations at the time of the click, counterfeit brand images, email spoofing and other abusive patterns common among phishing and spear phishing emails.

Adrien Gendre || Security Boulevard