Fraudsters Look to Harvest Office 365 Credentials From At-Home Employees
A recently uncovered phishing campaign is spoofing notifications from Microsoft’s Teams collaboration platform in order to harvest Office 365 credentials from employees working from home offices because of the COVID-19 pandemic, according to research from security firm Abnormal Security.
See Also: Role of Deception in the ‘New Normal’
This particular campaign is believed to have targeted between 15,000 and 50,000 Teams and Office 365 users, according to the report released Friday. It’s not clear how successful the attacks were or if this campaign is still ongoing.
Cloud-based video and collaboration platforms such as Microsoft Teams and Zoom have exploded in use over the past two months as the COVID-19 pandemic has forced many employees into home offices for the foreseeable future. For example, Microsoft saw the number of active daily Teams users jump from 44 million at the end of March to 75 million by the end of April, according to the company.
At the same time, these cloud-based platforms and services are being exploited by fraudsters using images and messages cloned from legitimate companies for phishing emails and malicious domains, according to security researchers (see: Cybercriminals Using Zoom, WebEx as Phishing Lures: Report).
“With the increased use of collaborative software to enable remote working, there is an increase in phishing emails that use these services as lures,” Charles Ragland, security engineer at security firm Digital Shadows, tells Information Security Media Group. “Criminals like to craft their emails to be relevant, and targeting users of these platforms is a great way to do that. There’s nothing particularly new or exciting about this attack vector, but it remains a favorite because it’s simple and effective.”
Other security analysts have noticed similar campaigns targeting at-home workers who are increasingly reliant on cloud-based services such as Zoom, Teams and Office 365. On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency published an alert urging organizations to secure cloud-based collaboration services, especially Office 365, which were rushed out to support the large influx of teleworkers in the wake of the COVID-19 pandemic.
2 Types of Attacks
In the phishing campaign that Abnormal Security uncovered, the fraudsters crafted realistic-looking messages that mimicked automated notification emails from Microsoft Teams. These phishing emails attempted to lure victims to spoofed landing pages that use cloned images and language taken directly from Microsoft’s official Teams and Office 365 websites to give these domains a realistic look.
The attackers also sent the messages from domains that appeared legitimate. In one case, phishing emails came from a recently registered domain called “sharepointonline-irs.com,” which is not associated with either Microsoft or the U.S. Internal Revenue Service, according to the report.
Spoofed notification that appears to come from Teams (Source: Abnormal Security)
Fraudsters also used numerous URL redirects to help bypass security tools, the report notes.
This campaign used two attacks to target victims. In one attack, the fraudsters used phishing emails that contained a link to a document that appeared to come from an established email marketing provider. If the user clicked on the document, an image from Microsoft Teams appeared and urged the victim to log into their account.
That spoofed Teams image contained another URL that would take the potential victim to a malicious domain that looked like an Office 365 landing page and asked the user to input his or her credentials. If users do provide a username and password, those are harvested by the attackers.
In the second attack, the phishing emails contained links that redirect the victim to a YouTube page. After several more redirects, the victim is then sent to a fake Office 365 login page and asked to input their credentials, which are then harvested by fraudsters.
“Should the recipient fall victim to this attack, this user credentials would be compromised,” the Abnormal Security researchers note. “Additionally, since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user’s Microsoft credentials via single-sign on.”
In addition to the phishing emails that Abnormal Security researchers uncovered, security firm Group-IB announced this week that its analysts found a separate campaign that targeted high-level executives using Office 365 (see: Phishing Campaigns Target Senior Executives via Office 365).
The spear-phishing campaign that Group-IB discovered has targeted about 150 businesses executives since mid-2019 and appears to have originated in Nigeria.
Also this week, Microsoft pushed out a patch for Teams after researchers with security firm Cyber Ark discovered a vulnerability in the platform that attackers could exploit with weaponized GIF images and takeover an organization’s accounts (see: Microsoft Patches Teams Vulnerability).
Managing Editor Scott Ferguson contributed to this report.