Fraudsters Using Evasive Techniques to Bypass Secure Email Gateways
Phishing emails used during recent campaign to target Office 365 users (Source: MIcrosoft)
Microsoft’s Security Intelligence team is warning users of the Office 365 suite about an ongoing phishing campaign that appears to be harvesting victims’ credentials.
The phishing emails, which are still circulating, use several techniques to bypass and evade secure email gateways, according to Microsoft’s analysis. The fraudsters use social engineering techniques and timely subject lines as a way to lure victims into clicking the emails and inputting their credentials, which are then harvested.
“The campaign uses timely lures relevant to remote work, like password updates, conferencing info and helpdesk tickets,” according to the report.
The evasion techniques, combined with heavy obfuscation of the malicious messages within the HTML code, are helping to make this phishing campaign difficult to detect.
We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering. The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc. pic.twitter.com/OiAHBfMNiD
— Microsoft Security Intelligence (@MsftSecIntel) November 16, 2020
After examining some of the phishing emails, the Microsoft researchers noted several ways that the fraudsters are attempting to avoid security tools. For example, they are using redirector URLs that can detect connections stemming from sandbox environments, which are typically used by analysts to detect these types of attacks.
Each of the redirector sites uses a subdomain that contains a username and the organization’s domain name to help increase the authentic look of the phishing email, according to the report.
“This unique subdomain is added to a set of base domains, typically compromised sites,” according to Microsoft. “Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient.”
The number of unique subdomains used also means that the fraudsters can send large volumes of phishing emails as part of the campaign as another way to avoid detection as well as giving the attackers a way to avoid sandboxes, according to the report.
“If the redirector detects that it’s being accessed from a sandbox environment or if the URL has expired, it redirects to legitimate sites, such that it can evade automated analysis, and only actual users reach the phishing site,” Microsoft reports.
Microsoft also warns that the phishing emails use social engineering techniques based on work-from-home scenarios to get potential victims to click on a malicious link. The subject lines include “Password Update,” “Exchange proteccion,” “Helpdesk-#,” “SharePoint,” “Projects_communications.”
Microsoft doesn’t describe how the Office 365 credentials are harvested in this campaign. But a sample email shows a malicious link that asks for a password reset. If clicked, this link could lead to a phishing landing page, where a user would enter credentials and then fraudsters would then harvest them.
Other security firms, such as Cofense, have noted similar techniques in attacks that target Office 365 users (see: Phishing Attack Bypassed Office 365 Multifactor Protections).
Other Office 365 Attacks
In May, Group-IB described an earlier campaign that targeted the Office 365 accounts of 150 businesses in an attempt to steal documents and other data from high-ranking executives (see: Phishing Campaigns Target Senior Executives via Office 365).
In July, Abnormal Security found fraudsters using fake Zoom alerts that helped disguise phishing emails designed to harvest Office 365 usernames and passwords (see: Zoom-Themed Phishing Campaign Targets Office 365 Credentials).