Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/7/2020
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Phishing Campaign Targets 200M Microsoft 365 Accounts

A well-organized email spoofing campaign has been seen targeting financial services, insurance, healthcare, manufacturing, utilities, and telecom.

Update 12/11/2020: This story has been updated to include Microsoft's statement regarding the attack.

A large-scale phishing campaign is targeting 200 million Microsoft 365 users around the world, particularly within the financial services, healthcare, insurance, manufacturing, utilities, and telecom sectors, Ironscales researchers report.

Related Content:

How Advanced Attackers Take Aim at Office 365

The Changing Face of Threat Intelligence

New on The Edge: BECs and EACs: What's the Difference?

The attackers leverage a domain spoofing technique to create emails that appear to come from Microsoft Outlook ([email protected]). These emails attempt to use urgent language to trick people into using a new Microsoft 365 capability that lets account holders reclaim emails accidentally flagged as phishing or spam.

A link within the email promises to redirect readers to a security portal so they can review and act on so-called "quarantine messages" deemed suspicious by the Exchange Online Protection (EOP) filtering stack, researchers explain in a blog post. Victims who click the link will be asked to enter their Microsoft login credentials on a fake authentication page.

While impersonating the exact name and domain of a specific sender is technically more complex than other spoofing attacks, researchers warn this remains a common phishing tactic that even attentive security-savvy employees are likely to overlook if it arrives in their inbox.

"To the naked eye, the most suspicious element of this attack would be the sense of urgency to view the quarantined messages or the unusualness of receiving this type of email solicitation," researchers note.

Organizations keen to mitigate their risk for this type of attack are advised to ensure their defenses are configured for Domain-based Message Authentication, Reporting, and Compliance (DMARC), an email authentication protocol built to block exact domain spoofing. In its report, researchers say Microsoft is not currently enforcing the DMARC protocol, meaning domain spoofing messages are not being rejected by gateway controls. 

In a statement, Microsoft says its platform has the capability to block these types of emails; however, it's up to customers to ensure they have the proper controls enabled.

"Contrary to claims in the third party report, Office 365 has rich in-built controls to block domain spoofing emails and enforces DMARC checks," a Microsoft spokesperson says. "We encourage all customers to make sure they have deployed the latest security controls in Office 365, enabled multi-factor authentication for Office 365, and train their end users to observe caution when clicking on links from unknown senders." 

Microsoft 365 continues to be a popular target for cybercriminals, from attackers with little experience to advanced persistent threat (APT) groups following enterprise victims to the cloud. Some of these groups target businesses to steal information or gain additional access; some will target one corporation with the goal of eventually breaching another. Most of these advanced attackers seek long-term access that will let them dwell in an environment for years.

Some APT groups might acquire administrator credentials to breach a target Microsoft 365 environment; others might exploit flaws in how the platform validates configuration changes. Unskilled attackers might use business email compromise attacks to infiltrate a target organization's Microsoft account.

Campaigns like the one Ironscales detected underscore cybercriminals' ability to develop increasingly subtle attacks. Research released from Vectra in October found attackers are widely using Microsoft 365 accounts to move laterally to other users and accounts within a target organizations to carry out command-and-control communications and other activities.

The Vectra study found lateral movement on 96% of Microsoft 365 customer accounts sampled. With 71% of the accounts, they noticed suspicious activity using Power Automate, a capability built into the platform, and 56% of accounts revealed similarly suspicious behavior using the eDiscovery tool in Microsoft 365.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rstaats1113
50%
50%
rstaats1113,
User Rank: Apprentice
12/8/2020 | 9:19:10 AM
Proposed mitigation
I think the mitigation discussed (DMARC) would've been more complete if a link or a contact was provided on who/how to set up DMARC with the behemoth that is Microsoft.  If anybody has that, it would be helpful.
JWallenstrom
100%
0%
JWallenstrom,
User Rank: Apprentice
12/8/2020 | 12:19:22 AM
Tough week for Microsoft
Nasty remote code execution...https://github.com/oskarsve/ms-teams-rce

Hppy to see the industry's sense of humor persists. Kudos @oskarsve...  "At least now we have a new joke between colleagues - whenever we get a remote code execution (RCE) bug, we call it "Important, Spoofing". Thanks Microsoft! 😂 "
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...