A sophisticated and highly targeted Microsoft Office 365 phishing campaign is being aimed at C-suite executives, executive assistants and financial departments across numerous industries.
“The activity we observed was relatively large in comparison to what we usually see with such highly targeted attacks,” Area 1 Security‘s principal threat researcher Juliette Cash told Help Net Security.
In a few instances, the attackers targeted newly-selected CEOs before their appointment was made public.
“It is highly likely that the attackers gained unauthorized access to accounts at those companies prior to sending the phishing messages,” Cash explained.
“This is a common tactic we’ve observed, wherein threat actors will initially aim for access to any email account at the targeted company (or their 3rd party partners), and then use sensitive information gained via that access to craft more convincing lures in order to ‘swim upstream’ to higher-value targets.”
The campaign is still in progress
The campaign began in early December 2020 and, according to the researchers, is still ongoing.
The threat actors are leveraging phishing kits and a number of sophisticated methods at every step of the attack.
Most of the phishing emails are sent from addresses with Microsoft-themed sender domains, with properly configured SPF records and are made to look like messages from the company, carrying fake alerts about “Important Service Changes”, “Important Security Policy Update”, etc.
“A majority of the targeted email accounts followed the format first name.last name@company domain, making the inclusion of full names in the attachments fairly effortless from an automated standpoint. However, even in cases where only initials appeared in the email address, the attackers still managed to include the target’s full name in the PDF attachment. This indicates that the threat actors conducted additional reconnaissance to carefully craft their phishing lures,” the researchers noted.
Through a malicious attachment, the target is led to a spoofed Microsoft-themed notice and then to a fake Office 365 login page.
“In some cases, the attackers were even more stealthy by prefetching the localized Office 365 sign-in,” the researchers explained.
“If the victim entered their email address, the attacker would verify it was a valid Office 365 address. In instances where the entered email address used Conditional Access, a different single sign-on (SSO), Active Directory Federation Services (ADFS), etc., the phishing kit would essentially break and the victim would simply be redirected to the legitimate sign-in experience.”
A larger-than-usual targeted campaign
The campaign targeted only select individuals at each company – C-level executives, their assistants, and employees in the financial department – and several things point to the threat actors being interested in a specific predetermined target list.
As noted before, among the targets were also newly-selected CEOs, and the attackers obviously hoped to catch them off guard during the transition period.
“Fraudsters are constantly profiting off of angst surrounding ongoing cybersecurity scares, like the now-infamous SolarWinds breach, and they know that targets are likely to click out of fear that their noncompliance could be the source of another breach,” the researchers pointed out.