Office 365 Phishing Attack Verifies Stolen Credentials
The Centristic threat analysis and research team investigated a breach that exposed a new tactic that threat actors are using to rapidly and effectively gain access to Office 365 accounts.
The most common Office 365 phishing messages fall into one of these categories:
Password Expiration Alert
Invoice Payment Request
Shared OneDrive Document
Shared SharePoint Document
Encrypted Message Announcement
How do Phishing Attacks Trick You?
It is not unusual to receive notifications for password expiration or payment alert for your Office 365 account. The number of users that fall victim is staggering.
Now, attackers appear to be testing the credentials, entered by unsuspecting victims, directly against Office 365. This allows them to programmatically determine if the username and password are valid. We also believe this allows them to test both the validity of the username and password but also determine if multifactor authentication is enabled.
Once you click on the link in the email message a spoofed Office 365 logon page is presented. After the user enters their credentials, the page then passes those along to Azure Active Directory (AAD). In the samples, the Centristic Research team identified and analyzed, the user was passed to any number of sites upon successful login or asked to try again if their credentials were incorrect.
In the phishing attacks the Centristic Research team analyzed, the threat actors immediately added forwarding rules to compromised accounts to exfiltrate inbound confidential messages. The rules typically forwarded all messages with the specific text in the subject or body of the message, “wire”, “wiring”, ”transfer”, ”funding”, ”payment”, ”invoice”, to the recipient, in all cases a Gmail account that was certainly created specifically for each compromised account.
The value of an Office 365 credential is quite high for attackers. With most companies leveraging Office 365 and similar services the successful breach of these accounts may result in brand and individual impersonation, fraud, business email compromise, infecting or scamming partner or customer organizations, and theft of intellectual property and money.
Microsoft enforced a Security and Compliance policy recently that helps to combat mail forwarding of inbound messages. This and many available security features can dramatically reduce the vulnerabilities that exist. Don’t be a victim. Educate your personnel and harden your systems.