Phishers targeting Office 365 admins have a new trick up their sleeve

Phishers targeting Office 365 admins have a new trick up their sleeve: they are checking the credentials entered into the spoofed login page in real-time and, if they are valid, the victims are redirected to their real Office 365 inbox.

“If the login fails, the end-user is presented with a fake Office 365 login error, asking them to provide their credentials again, as they would in a genuine Office login. This method is something we have not seen before,” Avanan researchers told Help Net Security.

The attack, step by step

It all starts with a fake notification, supposedly coming from Microsoft:

phishers targeting Office 365 admins

All of links in the email point to a fake Office 365 login page, located in a Microsoft Azure Blob and accessible via a windows.net domain (complete with a valid Microsoft SSL certificate).

According to Avanan, the login page includes a script that validates the Office 365 credentials by triggering a back-end IMAP client that tries to login in real-time.

“If login is successful, the hackers immediately start syncing the victim’s emails to a remote client via IMAP protocol, while the victim’s browser directs to the real Office 365 portal. This provides a genuine ‘conclusion’ to the attack so that the victim isn’t aware of the account compromise,” they explained.

If the login fails, the victim will be shown an error page just like they would on the legitimate Office 365 site. This step effectively neutralizes the advice often given to users to try entering fake credentials if they believe a login form might be fake.

Ultimately, the phishing victim might not realize their account has been compromised for quite a while, leaving the attackers free to make covert changes that might work in their favor.

Protect your Office 365 accounts

To protect Office 365 admin and other types of accounts, Avanan researchers advise enabling multi-factor authentication (MFA) and disabling IMAP access if possible as, under specific circumstances, IMAP can be exploited to bypass MFA.

“IT employees should not have admin access for their day-to-day account. It is recommended to have two separate Office 365 accounts: one for admin purposes, another for everyday use. Also, the admin account should not have a licensed mailbox,” they recommend.

Finally, users should be taught that, though a Microsoft own domain, windows.net is open to anyone and that the genuine Office 365 login pages can be only found on the microsoftonline.com domain.