New Spear-phishing Campaign Targets Office 365 Users

  • Attackers spoof the Microsoft.com domain
  • Lookalike websites used to steal credentials
  • Microsoft doesn’t implement the DMARC protocol

Attackers have deployed a vast spear-phishing campaign spoofing Microsoft.com to trick people into giving up their Office 365 credentials. The financial services, healthcare, insurance, manufacturing, utilities, and telecom industries are among those affected.

Spoofing a domain name is very useful in phishing campaigns because it gives the emails greater credibility. Checking the sender of the email is one of the first things a user has to do. When that email appears to come from a Microsoft.com domain, users are much more likely to believe what the messages says or asks.

“The fraudulent message is composed of urgent and somewhat fear-inducing language intended to convince users to click on what is a malicious link without hesitation,” say the researchers from Ironscales. “Once the link is clicked, users are asked to input their legitimate O365 login credentials on a fake login page, mistakenly believing that they are providing their private information to Microsoft online.”

As Office 365 credentials are used for numerous services, once the attackers get their hands on them, they can either use them to compromise systems and corporate networks or sell them on the dark web. In either case, the result can be devastating for any industry.

The security researchers also pointed out that Microsoft services don’t use the Domain-based Message Authentication, Reporting & Conformance (DMARC) authentication protocol, which would allow them to protect their domain specifically from this type of threat.

This particular campaign uses a spear-phishing technique, which means that attackers send emails to known targets, avoiding the scattergun approach. The goal is to affect the right people in the right place. The higher the victim’s ranking in a company’s hierarchy, the bigger the impact.

And since many Office 365 users are in companies, compromising a user’s credentials can easily lead to much more serious intrusions.