Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/2/2018
02:55 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
0%
100%

Millions of Office 365 Accounts Hit with Password Stealers

Phishing emails disguised as tax-related alerts aim to trick users into handing attackers their usernames and passwords.

A new wave of phishing attacks aims to dupe users and steal their passwords by disguising malicious emails as tax-related notifications from the IRS.

Barracuda Networks last month flagged a "critical alert" when it detected attack attempts to steal user passwords. This threat lures victims with Microsoft 365 Office files claiming to be tax forms or other official documents; attackers use urgent language to convince people to open the attachment.

Examples of this tactic include files named "taxletter.doc" and phrases like "We are apprising you upon the arisen tax arrears in the number of 2300CAD." The use of popular file types like Word and Excel, which are globally known and used, further ensures victims will fall for it.

"Today's documents are far more active … you're putting in a lot of content, media, links," says Fleming Shi, senior vice president of technology at Barracuda, comparing this threat with phishing attacks of the past. "Bad guys are leveraging the dynamic, active manner of the documents today to weaponized their files."

In this case, users are hit with the password stealer when they download and open the malicious document. When the document opens, a macro inside launches PowerShell, which acts in the background while the victim views the document.

Tens of millions of people have been affected by these phishing emails, Shi says, and attackers evade detection by crafting different emails. While Exchange server makes up a large portion of people affected, Shi notes other types of email accounts are also targeted with the malicious files.

"What they do is they rotate the content of the email; they rotate sender information," he continues. Signature-based systems won't catch these messages because changing the characteristics of malicious emails changes their fingerprint.

Password theft is increasing overall, a sign of attackers shifting their goals and strategies, Shi explains. Ransomware was big last year; this year, password stealers are appearing in phishing emails, browser extensions, and other programs as criminals hunt login data.

It's all part of a broader trend of sneaky spearphishing and targeted attacks, he says. Usernames and passwords grant access to multiple systems and applications a particular user is attached to, as well as social media sites and contact lists to fuel future attacks.

"Some attackers try to be like a sleeper cell on your system," Shi notes. Instead of seeing a red flag, victims will notice subtle clues they have been compromised: their system will slow down; they'll see more pop-ups. All are signs they've lost control of applications on their system.

IRS officials are also recommending caution amid an increase of tax-related phishing emails. Last month, the IRS Online Fraud Detection & Prevention Center (OFDP) announced a rise of compromised emails starting in January 2017. Cybercriminals are aiming for mass data theft and many are impersonating executives to request W-2 information from human resources.

It's a timely opportunity for attackers to capitalize on users' wariness of tax season and make their campaigns more effective. "You feel vulnerable because you get an email saying the IRS is eyeing you," Shi says. "What happens is, you're likely going to open the document."

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
3/7/2018 | 8:53:05 AM
Re: Office 365 Accounts Hit
Rather a good reason to cancel the Office365 subscript and go back to the last GOOD one - Office 2010 on my home system
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
3/3/2018 | 3:06:45 PM
Bad headline - this is a phishing scam like others
Yes, it's interesting that Office365 users were targeted, but this does not mean that "accounts" were "hit."  Another booby-trapped attachment.  It's a large-scale phishing attack, but nothing more than phishing.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
3/2/2018 | 7:50:13 PM
Office 365 Accounts Hit
Not at all unexpected.  Even before reading the article, there's the fact that there are so many small companies that use Office 365, for good reasons.  Unfortunately, most are too small to have anything close to dedicated enterprise-level cybersecurity assets.  Often, they're lucky to have one person in the office with security, or even general IT support, as part of their job description.  But don't think multinationals needn't be concerned - if these small companies are cyber-business-partners, their being compromised can be a steppingstone toward a more lucrative vulnerability. 

It's sad, but what is an obvious scam to those experienced in cybersecurity, can seem all too real to the intelligent, but untrained knowledge workers just trying to get through their workload.  Fold the same old letter, phone, email ploys into Office 365 documents (an environment people assume secure, and where you can be called on the carpet for ignoring something that might be important), and you've increased the potency dramatically. 

Yes the "tax time" feature does make these enticements more effective, but there's more to it.  Get the necessary data to file a false IRS return (with false direct deposit information), and you might be able to walk off with a refund before the real entity has filed. 

Another aspect mentioned in the article is the misuse of PowerShell.  Power is right, but is it too much power, too easily accessible and unnecessary for most users?  Again, something the big companies know to control, but users in small firms might not even know it's there. 
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10854
PUBLISHED: 2019-11-22
cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field.
CVE-2019-13157
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.