[BreachExchange] This new phishing attack is 'sneakier than usual', Microsoft warns

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Mon Aug 2 12:08:55 EDT 2021


https://www.zdnet.com/article/microsoft-watch-out-for-this-sneakier-than-usual-phishing-attack/

Microsoft's Security Intelligence team has issued an alert to Office 365
users and admins to be on the lookout for a "crafty" phishing email with
spoofed sender addresses.

Cybersecurity certifications can help you get your foot in the door into
what has fast become an industry with a high demand for skilled staff. Here
is how to get started.

Microsoft put out an alert after observing an active campaign targeting
Office 365 organizations with convincing emails and several techniques to
bypass phishing detection, including an Office 365 phishing page, Google
cloud web app hosting, and a compromised SharePoint site that urges victims
to type in their credentials.

"An active phishing campaign is using a crafty combination of
legitimate-looking original sender email addresses, spoofed display sender
addresses that contain the target usernames and domains, and display names
that mimic legitimate services to try and slip through email filters," the
Microsoft Security Intelligence team said in an update.

"The original sender addresses contain variations of the word "referral"
and use various top-level domains, including the domain com[.]com,
popularly used by phishing campaigns for spoofing and typo-squatting."

Phishing continues to be a tricky problem for businesses to stamp out,
requiring regularly updated phishing awareness training and technical
solutions, such as multi-factor authentication on all accounts – which both
Microsoft and CISA highly recommend.

Phishing is a key component of business email compromise (BEC) attacks,
which cost Americans more than $4.2 billion last year, according to the
FBI's latest figures. It's far more costly than high-profile ransomware
attacks. BEC, which relies on compromised email accounts or email addresses
that are similar to legitimate ones, are difficult to filter as they blend
within normal, expected traffic.

The phishing group is using Microsoft SharePoint in the display name to
entice victims to click the link. The email poses as a "file share" request
to access bogus "Staff Reports", "Bonuses", "Pricebooks", and other content
hosted in a supposed Excel spreadsheet. It also contains a link that
navigates to the phishing page and plenty of Microsoft branding.

While convincing Microsoft logos are littered across the email, the main
phishing URL relies on a Google storage resource that points the victim to
the Google App Engine domain AppSpot – a place to host web applications.

"The emails contain two URLs that have malformed HTTP headers. The primary
phishing URL is a Google storage resource that points to an AppSpot domain
that requires the user to sign in before finally serving another Google
User Content domain with an Office 365 phishing page," Microsoft notes.

The second URL is embedded in the notifications settings links the victim
to a compromised SharePoint site. Both URLs require sign-in to get to the
final page, allowing the attack to bypass sandboxes.

This campaign is "sneakier than usual", Microsoft notes.

Microsoft has been touting its 'Safe Links' Defender for Office 365
phishing protection feature that 'detonates' phishing email at the point a
user clicks on a link that matches its list of known phishing pages.

Microsoft has also published details on GitHub about the infrastructure
linked to the spoofed emails imitating SharePoint and other products for
credential phishing.

"The operator is also known to use legitimate URL infrastructure such as
Google, Microsoft, and Digital Ocean to host their phishing pages,"
Microsoft notes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210802/f63f312d/attachment.html>


More information about the BreachExchange mailing list