The attacks showcase broader security concerns as phishing grows in volume and sophistication, especially given that Windows Defender's Safe Links feature for identifying malicious links in emails completely failed in the campaign.

Big fish swallowing a little fish
Source: Bill Brooks via Alamy Stock Photo

Thousands of Microsoft 365 credentials have been discovered stored in plaintext on phishing servers, as part of an unusual, targeted credential-harvesting campaign against real estate professionals. The attacks showcase the growing, evolving risk that traditional username-password combinations present, researchers say, especially as phishing continues to grow in sophistication, evading basic email security. 

Researchers from Ironscales discovered the offensive, in which cyberattackers posed as employees at two well-known financial-services vendors in the realty space: First American Financial Corp., and United Wholesale Mortgage. The cybercrooks are using the accounts to send out phishing emails to realtors, real estate lawyers, title agents, and buyers and sellers, analysts said, in an attempt to steer them to spoofed Microsoft 365 login pages for capturing credentials.

The emails alert targets that attached documents needed to be reviewed or that they have new messages hosted on a secure server, according to a Sept. 15 posting on the campaign from Ironscales. In both cases, embedded links direct recipients to the fake login pages asking them to sign into Microsoft 365.

Once on the malicious page, researchers observed an unusual twist in the proceedings: The attackers tried to make the most of their time with the victims by attempting to tease out multiple passwords from each phishing session.

"Each attempt to submit these 365 credentials returned an error and prompted the user to try again," according to the researchers' writeup. "Users will usually submit the same credentials at least one more time before they try variations of other passwords they might have used in the past, providing a gold mine of credentials for criminals to sell or use in brute-force or credential-stuffing attacks to access popular financial or social-media accounts."

The care taken in the targeting of victims with a well-thought-out plan is one of the most notable aspects of the campaign, Eyal Benishti, founder and CEO at Ironscales, tells Dark Reading.

"This is going after people who work in real estate (real estate agents, title agents, real estate lawyers), using an email phishing template that spoofs a very familiar brand and familiar call to action ('review these secure documents' or 'read this secure message')," he says.

It's unclear how far the campaign may sprawl, but the company's investigation showed that at least thousands have been phished so far.

"The total number people phished is unknown, we only investigated a few instances that intersected our customers," Benishti says. "But just from the small sampling we analyzed, there more than 2,000 unique sets of credentials found in more than 10,000 submission attempts (many users supplied the same or alternate credentials multiple times)."

The risk to victims is high: Real estate-related transactions are often targeted for sophisticated fraud scams, especially transactions involving real estate title companies.

"Based on trends and stats, these attackers likely want to use the credentials to enable them to intercept/direct/redirect wire transfers associated with real estate transactions," according to Benishti.

Also notable (and unfortunate) in this particular campaign, a basic security control apparently failed.

In the initial round of phishing, the URL that targets were asked to click didn't try to hide itself, researchers noted — when mousing over the link, a red-flag-waving URL was displayed: "[dot]shtm."

However, subsequent waves hid the address behind a Safe Links URL — a feature found in Microsoft Defender that's supposed to scan URLs to pick up on malicious links. Safe Link overwrites the link with a different URL using special nomenclature, once that link is scanned and deemed safe.

In this case, the tool only made it harder to visually inspect the actual in-your-face "this is a phish!" link, and also allowed the messages to more easily get past email filters. Microsoft did not respond to a request for comment.

"Safe Links has a several known weaknesses and generating a false sense of security is the significant weakness in this situation," Benishti says. "Safe Links didn’t detect any risks or deception associated with the original link, but rewrote the link as if it had. Users and many security professionals gain a false sense of security because a security control in place, but this control is largely ineffective."

Also of note: In the United Wholesale Mortgage emails, the message was also flagged as a "Secure Email Notification," included a confidentiality disclaimer, and sported a fake "Secured by Proofpoint Encryption" banner.

Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, said that his company is no stranger to being brand-hijacked, adding that fake use of its name is in fact a known cyberattack technique that the company's products scan for.

It's a good reminder that users can't rely on branding to determine the veracity of a message, he notes: "Threat actors often pretend to be well-known brands to entice their targets into divulging information," he says. "They also often impersonate known security vendors to add legitimacy to their phishing emails."

Even Bad Guys Make Mistakes

Meanwhile, it might not be just the OG phishers that are benefiting from the stolen credentials.

During the analysis of the campaign, researchers picked up on a URL in the emails that shouldn't have been there: a path that points to a computer file directory. Inside that directory were the cybercriminals' ill-gotten gains, i.e., every single email and password combo submitted to that particular phishing site, kept in a cleartext file that anyone could have accessed.

"This was totally an accident," Benishti says. "The result of sloppy work, or more likely ignorance if they are using a phishing kit developed by someone else — there are tons of which available for purchase on black market."

The fake webpage servers (and cleartext files) were quickly shut down or removed, but as Benishti noted, it's likely that the phishing kit the attackers are using is responsible for the cleartext glitch — which means they "will continue to make their stolen credentials available to the world."

Stolen Credentials, More Sophistication Fuels Phish Frenzy

The campaign more broadly puts into perspective the epidemic of phishing and credential harvesting — and what it means for authentication going forward, researchers note.

Darren Guccione, CEO and co-founder at Keeper Security, says that phishing continues to evolve in terms of its sophistication level, which should act as a clarion warning to enterprises, given the elevated level of risk.

"Bad actors at all levels are tailoring phishing scams using aesthetic-based tactics such as realistic-looking email templates and malicious websites to lure in their victims, then take over their account by changing the credentials, which prevents access by the valid owner," he tells Dark Reading. "In a vendor impersonation attack [like this one], when cybercriminals use stolen credentials to send phishing emails from a legitimate email address, this dangerous tactic is even more convincing because the email originates from a familiar source."

Most modern phishes can also bypass secure email gateways and even spoof or subvert two-factor authentication (2FA) vendors, adds Monnia Deng, director of product marketing at Bolster, while social engineering in general is extraordinarily effective in a time of cloud, mobility, and remote work.

"When everyone expects their online experience to be fast and easy, human error is inevitable, and these phishing campaigns are getting more clever," she says. She adds that three macro-trends are responsible for the record numbers of phishing-related attacks: "The pandemic-fueled move to digital platforms for business continuity, the growing army of script kiddies who can easily purchase phishing kits or even buy phishing as a subscription service, and the interdependency of technology platforms that could create a supply chain attack from a phishing email."

Thus, the reality is that the Dark Web hosts large caches of stolen usernames and passwords; big data dumps are not uncommon, and are in turn spurring not only credential-stuffing and brute-force attacks, but also additional phishing efforts.

For instance, it's possible that threat actors used information from a recent First American Financial breach to compromise the email account they used to send out the phishes; that incident exposed 800 million documents containing personal information.

"Data breaches or leaks have a longer half-life than people think," Benishti says. "The First American Financial breach happened in May 2019, but the personal data exposed can be weaponized used years afterwards."

To thwart this bustling market and the profiteers that operate within it, it's time to look beyond the password, he adds.

"Passwords require ever increasing complexity and rotation frequency, leading to security burnout," Benishti says. "Many users accept the risk of being insecure over the effort to create complex passwords because doing the right thing is made so complex. Multifactor authentication helps, but it is not a bulletproof solution. Fundamental change is needed to verify you are who you say you are in a digital world and gain access to the resources you need."

How to Fight the Phishing Tsunami

With widespread passwordless approaches still a ways off, Proofpoint's Kalember says that the basic user-awareness tenets are the place to start when fighting phishing.

"People should approach all unsolicited communications with caution, especially those that request the user to act, such as downloading or opening an attachment, clicking a link, or disclosing credentials such as personal or financial information," he says.

Also, it’s critical that everyone learn and practice good password hygiene across every service they use, Benishti adds: "And if you are ever notified that your information may have been involved in a breach, go reset all of your passwords for every service you use. If not, motivated attackers have cleaver ways of correlating all sorts of data and accounts to get what they want."

In addition, Ironscales recommends regular phishing simulation testing for all employees, and called out a rule-of-thumb set of red flags to look for:

  • Users could have identified this phishing attack by closely looking at the sender

  • Make sure the sending address matches the return address and the address is from a domain (URL) that usually matches the business they deal with.

  • Look for bad spelling and grammar.

  • Mouse over links and look at the full URL/address of the destination, see if it looks unusual.

  • Always be very cautious about sites that ask you for credentials not associated with them, like Microsoft 365 or Google Workspace login.

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights