Researchers Explore Microsoft Outlook Phishing Techniques

Some of the tools built into Outlook to boost productivity and collaboration could also make it easier to launch effective social engineering campaigns, researchers say. 

In early December, researchers with Avanan discovered a way in which Outlook's features could be used to make an attacker appear more credible in a phishing or business email compromise (BEC) attack. Their attack started with a spoofed email. If an attacker had a private server, they could launch a domain impersonation attack with an email pretending to come from another sender. 

This technique has not been seen in the wild.

If the phony email successfully passed security defenses — as domain impersonations sometimes do, cybersecurity analyst Jeremy Fuchs noted in a blog post — Outlook will present it as a real email from the spoofed address. This means the message would show legitimate Active Directory details like photos, files shared between uses, legitimate email addresses, and phone numbers.

"It's easy for [attackers] to pretend it's coming from the correct email address even though it's not," Fuchs says in an interview. When they do that, Outlook will think the email is legitimate so it will display all the user information it would normally display for an actual account holder, he notes.

C-suite executives are traditionally thought to be at greatest risk when it comes to BEC and targeted phishing attacks. But data published earlier this year shows that is no longer the case: Avanan researchers found 51% of all impersonation emails analyzed attempted to impersonate a non-executive in the organization, and non-executives were targeted 77% more often.

"The C-suite is still targeted, but everybody now is a target," Fuchs says. A lower-level employee with access to corporate email and Slack accounts could still provide fruitful data to an attacker. If targeted with a phishing email that uses this method, they will see a host of valid Active Directory data associated with a fraudulent address and may be more likely to engage with it.

"To the end-user, this conveys legitimacy," Fuchs wrote in a blog post on the findings. "They can see all the times they have communicated together, the files shared, even their picture. That makes a social engineering attack even more difficult to stop."