Phishing attackers are using compromised corporate Microsoft Office 365 accounts to trick other employees into giving up their Office 365 credentials.
A group of attackers from West Africa are successfully convincing employees to drop their guard by sending phishing email from legitimate but compromised Office 365 accounts, according to Fujitsu’s Cyber Threat Intelligence group.
Since at least June the group has used the technique to trick targets into coughing up credentials with email containing bogus messages purportedly related to DocuSign and Office 365.
The attackers boost their chances of success by sending phishing email from a legitimate Office 365 account of a supplier that has been compromised.
As usual with phishing, the email contains a message that prompts the recipient to click a link and then type in their credentials to a web page, in this case a bogus Office 365 login page.
The DocuSign phishing email tells the user a document is ready to review and prompts the user to view it by clicking a “review” button and signing in with their correct credentials. The Office 365 phish claims to be from Microsoft’s Office 365 Team and suggests the user has used up their “email quota”.
Once the attackers acquire credentials from an employee in a company, they repeat the attack on co-workers and their external contacts.
Fujitsu calls the tactic a “chain phishing attack” since it exploits the trust that targets place in their supply chain contacts.
Compromised Office 365 credentials could also be used to access other Office 365-connected services, such as Skype, SharePoint, Yammer, Azure, and Dynamics, it warns.
The tactics bear some of the hallmarks of business email compromise (BEC) fraud, where compromised or spoofed company email accounts are used to trick an employee into wiring funds to a fraudster’s account under the guise they’re paying a legitimate supplier.
There were 243 BEC victims in Australia in the first three months of the 2016-2017 financial year, according to official figures. The FBI estimates organizations in 132 nations have been exposed to $5bn in losses due to BEC fraud since 2013.
Indeed, Fujitsu suggests the campaign may be part of a BEC fraud scheme, given that the inside information the attackers acquire via compromised credentials could help them target organizations for this type of fraud. Also, it notes the subjects of the phishing email are similar to those sent to financial controllers targeted by BEC fraudsters.
Barracuda Networks in August reported similar phishing attack on Office 365 users that used email appeared to be a request from Microsoft to reactivate their Office 365 account. The phishers had created a well-designed look-alike Microsoft login page designed to steal Office 365 credentials.
Once an Office 365 account has been compromised it’s easy for the attacker to setup forwarding rules so that they can observe the target’s behavior. Again, this would be valuable for a BEC fraudster.
Besides security awareness training, organizations should enable defenses Microsoft offers, such as Office 365’s multi-factor authentication.