Phishing Campaigns Targeting Office 365 Credentials, Spoofing Exchange

A recent spear-phishing campaign is actively targeting Microsoft Office 365 users in an effort to steal user credentials, while another is spoofing Microsoft Exchange Online Protection.

By Jessica Davis

December 16, 2020 - Recent spear-phishing campaigns are again targeting Microsoft Office 365 users in an effort to steal user credentials, while one campaign spoofs Microsoft Exchange Online Protection (EOP), according to recent reports from IRONSCALES and Abnormal Security.

Nearly 200 million O365 users across the globe and particularly in the healthcare, insurance, financial services, manufacturing, utilities, and telecom sector, are being targeted by the spoofing campaign, IRONSCALES researchers explained.

The well-coordinated attacks were first observed about two weeks ago and is deployed using an exact domain spoofing technique. The method refers to an email sent using a fraudulent domain that precisely matches the domain of the spoofed brand.

For the latest campaign, IRONSCALES detected emails that appear highly legitimate in an effort to take advantage of a recent O365 capability allowing emails to be reclaimed that have previously been marked as spam or phishing emails.

“Specifically, the fraudulent message is composed of urgent and somewhat fear-inducing language intended to convince users to click on what is a malicious link without hesitation,” researchers explained.

“As inferred by the message, the link will redirect users to a security portal in which they can review and take action on ‘quarantined messages’ captured by the EOP filtering stack, the new feature that has only been available since September,” they added.

If the user interacts with the link, they’re asked to input their O365 credentials into the fake login page designed to appear as a legitimate Microsoft online site. The hackers are harvesting credentials to likely obtain confidential information, launch financial fraud attempts, for online sales, or to steal proprietary data.

Exact domain spoofs are not entirely sophisticated attack methods for email gateway controls to detect, and researchers explained that both non cloud-native and legacy email tools may efficiently stop some of these attacks.

“The reason why SEGs can traditionally stop exact domain spoofing is because, when configured correctly, this control is compliant with the domain-based message authentication, reporting & conformance (DMARC), an email authentication protocol built specifically to stop exact domain spoofing,” researchers noted.

“To the naked eye, the most suspicious element of this attack would be the sense of urgency to view the quarantined messages or the unusualness of receiving this type of email solicitation,” they added.