Cyberespionage group launches sophisticated phishing attacks against Outlook Web App users

The group targeted military agencies, embassies, defense contractors and media organizations, researchers from Trend Micro said

A cyberespionage group has been using advanced spear-phishing techniques to steal email log-in credentials from the employees of military agencies, embassies, defense contractors and international media outlets that use Office 365's Outlook Web App.

The group behind the attack campaign has been operating since at least 2007 according to researchers from Trend Micro, who published a research paper on Wednesday about the attacks they dubbed Operation Pawn Storm.

The Pawn Storm attackers have used a variety of techniques over the years to compromise their targets, including spear-phishing emails with malicious Microsoft Office attachments that installed a backdoor-type malware program called SEDNIT or Sofacy, or selective exploits injected into compromised legitimate websites.

The group used one particularly interesting technique in email phishing attacks against organizations that use the Outlook Web App (OWA), which is part of Microsoft's Office 365 service.

For each phishing attack, the group created two fake domains: one very similar to that of a third-party website known to the victims -- like that of an upcoming industry conference for example -- and one similar to the domain used by the targeted organization's Outlook Web App deployment.

The attackers then crafted phishing emails with a link to the fake third-party site where they hosted non-malicious JavaScript code whose purpose was twofold: to open the actual legitimate site in a new tab and to redirect the already opened Outlook Web App browser tab to a phishing page.

"The JavaScript made it appear that the victims' OWA sessions ended while at the same time, tricked them into reentering their credentials," the Trend Micro researchers wrote in their paper. "To do this, the attackers redirected victims to fake OWA log-in pages by setting their browsers' open windows property."

This technique does not exploit any vulnerabilities and works in any popular browser, including Internet Explorer, Mozilla Firefox, Google Chrome and Apple's Safari, the researchers said. However, two conditions need to be met: the victims need to use OWA and they need to click on the embedded links from OWA's preview pane, they said.

This can be a powerful attack, because the victims know they had a legitimate OWA session opened in that browser tab and might not check if the URL has changed before re-entering their credentials.

In addition to using domain names that were very similar to those used by the targeted organizations for their real OWA log-in pages, in some cases the attackers even purchased legitimate SSL certificates so that the victims' browsers display the HTTPS secure connection indicators for the phishing sites, the Trend Micro researchers said.

Among those targeted with this technique were employees of the U.S. private military company ACADEMI, formerly known as Blackwater; the Organization for Security and Co-operation in Europe (OSCE); the U.S. Department of State; U.S. government contractor SAIC; a multinational company based in Germany; the Vatican Embassy in Iraq; broadcasting companies in several countries; the defense ministries of France and Hungary, Pakistani military officials; Polish government employees, and military attachés from various countries.

The phishing baits used by the attackers included well-known events and conferences that their victims were interested in.

"Apart from effective phishing tactics, the threat actors used a combination of proven targeted attack staples to compromise systems and get in to target networks -- exploits and data-stealing malware," the Trend Micro researchers said. "SEDNIT variants particularly proved useful, as these allowed the threat actors to steal all manners of sensitive information from the victims' computers while effectively evading detection."

Join the CSO newsletter!

Error: Please check your email address.

Tags Academitrend microsecurityAccess control and authenticationOrganization for Security and Co-operation in EuropespywareSAICmalware

More about AppleGoogleMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts