Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/2/2018
02:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

Millions of Office 365 Accounts Hit with Password Stealers

Phishing emails disguised as tax-related alerts aim to trick users into handing attackers their usernames and passwords.

A new wave of phishing attacks aims to dupe users and steal their passwords by disguising malicious emails as tax-related notifications from the IRS.

Barracuda Networks last month flagged a "critical alert" when it detected attack attempts to steal user passwords. This threat lures victims with Microsoft 365 Office files claiming to be tax forms or other official documents; attackers use urgent language to convince people to open the attachment.

Examples of this tactic include files named "taxletter.doc" and phrases like "We are apprising you upon the arisen tax arrears in the number of 2300CAD." The use of popular file types like Word and Excel, which are globally known and used, further ensures victims will fall for it.

"Today's documents are far more active … you're putting in a lot of content, media, links," says Fleming Shi, senior vice president of technology at Barracuda, comparing this threat with phishing attacks of the past. "Bad guys are leveraging the dynamic, active manner of the documents today to weaponized their files."

In this case, users are hit with the password stealer when they download and open the malicious document. When the document opens, a macro inside launches PowerShell, which acts in the background while the victim views the document.

Tens of millions of people have been affected by these phishing emails, Shi says, and attackers evade detection by crafting different emails. While Exchange server makes up a large portion of people affected, Shi notes other types of email accounts are also targeted with the malicious files.

"What they do is they rotate the content of the email; they rotate sender information," he continues. Signature-based systems won't catch these messages because changing the characteristics of malicious emails changes their fingerprint.

Password theft is increasing overall, a sign of attackers shifting their goals and strategies, Shi explains. Ransomware was big last year; this year, password stealers are appearing in phishing emails, browser extensions, and other programs as criminals hunt login data.

It's all part of a broader trend of sneaky spearphishing and targeted attacks, he says. Usernames and passwords grant access to multiple systems and applications a particular user is attached to, as well as social media sites and contact lists to fuel future attacks.

"Some attackers try to be like a sleeper cell on your system," Shi notes. Instead of seeing a red flag, victims will notice subtle clues they have been compromised: their system will slow down; they'll see more pop-ups. All are signs they've lost control of applications on their system.

IRS officials are also recommending caution amid an increase of tax-related phishing emails. Last month, the IRS Online Fraud Detection & Prevention Center (OFDP) announced a rise of compromised emails starting in January 2017. Cybercriminals are aiming for mass data theft and many are impersonating executives to request W-2 information from human resources.

It's a timely opportunity for attackers to capitalize on users' wariness of tax season and make their campaigns more effective. "You feel vulnerable because you get an email saying the IRS is eyeing you," Shi says. "What happens is, you're likely going to open the document."

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
3/7/2018 | 8:53:05 AM
Re: Office 365 Accounts Hit
Rather a good reason to cancel the Office365 subscript and go back to the last GOOD one - Office 2010 on my home system
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
3/3/2018 | 3:06:45 PM
Bad headline - this is a phishing scam like others
Yes, it's interesting that Office365 users were targeted, but this does not mean that "accounts" were "hit."  Another booby-trapped attachment.  It's a large-scale phishing attack, but nothing more than phishing.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
3/2/2018 | 7:50:13 PM
Office 365 Accounts Hit
Not at all unexpected.  Even before reading the article, there's the fact that there are so many small companies that use Office 365, for good reasons.  Unfortunately, most are too small to have anything close to dedicated enterprise-level cybersecurity assets.  Often, they're lucky to have one person in the office with security, or even general IT support, as part of their job description.  But don't think multinationals needn't be concerned - if these small companies are cyber-business-partners, their being compromised can be a steppingstone toward a more lucrative vulnerability. 

It's sad, but what is an obvious scam to those experienced in cybersecurity, can seem all too real to the intelligent, but untrained knowledge workers just trying to get through their workload.  Fold the same old letter, phone, email ploys into Office 365 documents (an environment people assume secure, and where you can be called on the carpet for ignoring something that might be important), and you've increased the potency dramatically. 

Yes the "tax time" feature does make these enticements more effective, but there's more to it.  Get the necessary data to file a false IRS return (with false direct deposit information), and you might be able to walk off with a refund before the real entity has filed. 

Another aspect mentioned in the article is the misuse of PowerShell.  Power is right, but is it too much power, too easily accessible and unnecessary for most users?  Again, something the big companies know to control, but users in small firms might not even know it's there. 
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...