An ongoing campaign powered by a phishing kit sold on underground forums is explicitly targeting high-ranking executives in a variety of sectors and countries with fake Office 365 password expiration notifications, Trend Micro researchers warn.
The compromised login credentials are likely then sold on those same forums for $250 per account (or even higher). The compromised accounts can be used to send out even more convincing phishing emails, perpetrate BEC scams, or collect sensitive information.
The Office 365-themed lure aimed at executives
The phishing emails take the form of a Microsoft Office365 password reset email and, at first glance, they seem like they’ve been sent by the company’s IT administrators.
The recipients are urged to clisk on the button/link provided in the email in order to change their Office 365 password or continue with the same one, because “further message might be prevented if any of the above actions are not performed.”
The link takes them to a fake Office 365 login page, where some of them end up entering their account credentials (i.e., handing them to the phishers).
The researchers took advantage of poorly configured phishing sites to get their hands on the phishing kit and the sites’ log files, and found that nearly half of the victims who entered their credentials were CEOs, and nearly three quarter of them are based in the US.
About the phishing kit
The researchers say that the campaign orchestrators used the same phishing kit during the various campaigns, and that the phishing kit developer compiled and included a blocklist into it.
“It uses an extensive list of domain names and IP address ranges to ensure that access is blocked when accessed by security companies or large cloud providers. We assume the intention is to evade detection by security vendors as the list includes a number of antivirus companies; Google, Microsoft, VirusTotal, and a long list of other cybersecurity and technology companies, as well as public blocklisting sites,” they shared.
Apparently, the kit can also detect bot scanning or crawling attempts, and serve alternative content when bots are detected.
They also discovered that most of the phishing emails were sent using a virtual private server (VPS) from FireVPS, and that the phishing kit has been through four iterations, but that they all use mostly the same lure (Office 365 password expiration), so this means we can expect more warnings about these types of phishing emails hitting inboxes.
“By selectively targeting C-level employees, the attacker significantly increases the value of obtained credentials as they could lead to further access to sensitive personal and organizational information, and used in other attacks,” the researchers noted.
“While organizations are aware and wary of the information they include in public-facing websites and platforms, their respective employees should be constantly reminded to be mindful of the details they disclose on personal pages. These can be easily used against them for attacks using social engineering techniques. All employees, regardless of company rank, should exercise caution when reviewing and acting on email prompts for specific actions, especially from unknown sources.”