Share this article on:
Microsoft has issued a warning to Office 365 about an ongoing phishing campaign targeting user credentials. The campaign uses sophisticated techniques to bypass email security gateways and social engineering tactics to fool company employees into visiting websites where credentials are harvested.
A variety of lures are used in the phishing emails which target remote workers, such as fake password update requests, information on teleconferencing, SharePoint notifications, and helpdesk tickets. The lures are plausible and the websites to which Office 365 users are directed are realistic and convincing, complete with replicated logos and color schemes.
The threat actors have used a range of techniques to bypass secure email gateways to ensure the messages are delivered to inboxes. These include redirector URLs that can detect sandbox environments and will direct real users to the phishing websites and security solutions to benign websites, to prevent analysis. The emails also incorporate heavy obfuscation in the HTML code.
Microsoft notes that the redirector sites have a unique subdomain that includes a username and the targeted organization’s domain name to add realism to the campaign. The phishing URLs have an extra dot after the top-level domain, after which is the Base64 encoded email address of the recipient. The phishing URLs are often added to compromised websites, rather than used on attacker owned domains. Since many different subdomains are used, it is possible to send large volumes of phishing emails and evade security solutions.
Office 365 credentials are highly sought after. Email accounts can be accessed and used for further phishing attacks, business email compromise scams, and the accounts often contain a wealth of sensitive data, including protected health information. Once an attacker has access to the Office 365 environment, they can access sensitive stored documents, and conduct further attacks on the organization.
Microsoft explained that Microsoft 365 Defender for Office 365 can detect phishing emails in this campaign and resolve attacks, but a recent study by IRONSCALES has shown that many email security gateways fail to block these sophisticated phishing threats.
The Israel-based security firm recently published data from a test of the leading secure email gateways and found they failed to block around half of advanced phishing attempts, including spear phishing and social engineering attacks. The company used its Emulator to test the effectiveness of five of the top secure email gateways, including Microsoft’s Advanced Threat Protection (APT), and simulated real-world phishing scenarios to see how each performed.
For the tests, IRONSCALES conducted 162 emulations (16,200 emails) against the top 5 secure email gateways and found 47% of the emails were delivered to inboxes – 7,614 emails. The penetration rate – the percentage of emails that bypassed the secure email gateways – ranged from 35% to 55% across the 5 tested security solutions.
The leading secure email gateways were effective at blocking emails containing malicious attachments, with only 4% being delivered to inboxes, and just 3% of emails containing links to malicious files were delivered. However, they were far less effective at blocking social engineering and email impersonation attacks, which accounted for 30% of all successfully delivered emails. Domain name impersonations accounted for 25% of the delivered emails. These emails linked to a domain name that had the right records set in the DNS. Emails containing links to URLs containing fake login pages were delivered 16% of the time.
The tests highlighted the need for AI-driven security solutions that have natural language understanding and the importance of providing security awareness training to the workforce, as many of these advanced phishing threats will reach end user inboxes.