Microsoft Office 365, which has more than 100 million monthly active subscribers—is the target of a widespread credential-harvesting campaign, where attackers attempt to steal logins and ultimately launch attacks from within an organization.
According to Barracuda Networks, Office 365 account compromise is becoming increasingly prevalent, and carried out by bad actors that take the time to craft personalized spear-phishing mails that are hard to identify as bogus. Unlike most broadcast phishing attempts, these don’t contain bold requests, misspelled words or questionable attachments that raise red flags—and they’re tailored.
“It’s almost become part of our identities, particularly inside the network, with emails circulating internally,” Barracuda said in a posting. “There’s an inherent trust when we receive an email from a coworker using his or her correct address. We are nearly certain it is legitimate, but unfortunately, that’s not always the case.”
Typically, such a message will come in to a Microsoft O365 user, who may click a link in the message that sends them to a well-crafted landing page where they are prompted to enter their credentials. Once they do that, the attackers can access the account.
From there, Barracuda said it has seen a few scenarios. For instance, attackers can set up forwarding rules on the account to observe the user’s communications patterns, both with others inside and outside the organization. This knowledge can be used as leverage for future attacks such as ransomware or other advanced threats.
In some cases, the bad guys will use a PDF attachment in a message that appears like a colleague is forwarding a document to review; and, there are usually casual instructions in the email that say the document can be accessed by entering a work email and password. In another case, a way to capture credentials is by sending an invoice for payment that requires the recipient to log on to a “web portal” to view the (fake) invoice.
Another common scenario is where attackers use the compromised account to send messages to other employees inside the organization in an attempt to collect additional credentials or other sensitive information. This approach typically has more short-term success, the firm said.
These insider threats are not only looking for credentials, however. Attackers often request an “urgent” action that needs attention, such as paying an invoice or forwarding sensitive information like employee tax details.
It’s clear that these attempts aren’t going to wane any time soon, so users should make use of multi-factor authentication, DMARC and other options for email security.
“Office 365 is still a relatively new tool with a large and growing user base, and attackers are taking advantage of the accessibility,” Barracuda said. “Cybercriminals have a long history of designing attacks to reach the largest number of eyeballs possible. From the early days of traditional spam, to search or trending topics on social platforms, criminals follow the users—and Office 365 has become a breeding ground for highly personalized, compelling attacks.”