Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/11/2020
11:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Spear-Phishers Leverage Office 365 Ecosystem to Validate Stolen Creds in Real Time

New attack technique uses Office 365 APIs to cross-check credentials against Azure Active Directory as victim types them in.

Serving as yet another proof point of the creativity with which attackers are targeting Office 365 users with new phishing schemes, Armorblox researchers yesterday detailed a new attack technique they found that validates stolen credentials in real time as the victim enters them into the login lure.

The attack in question is part of a very targeted spear-phishing campaign that was discovered operating against an executive at a top 50 American company. It works like this: Attackers send a typical credential phishing email using Amazon Simple Email Service to pass DKIM and SPF checks. Attached to the message is a bogus payment remittance report that looks like a text file with a title along the lines of "ACH Company Name." 

Opening that file automatically opens up a look-alike Office 365 sign-on page with the user's email address already pre-entered, with a message that says, "Because you're accessing sensitive info, you need to verify your password."

Related Content:

Office 365's Vast Attack Surface & All the Ways You Don't Know You're Being Exploited Through It

The Threat from the Internet—and What Your Organization Can Do About It

New on The Edge: Think You're Spending Enough on Security?

All of these steps are fairly standard, but what happens next is what differentiates this attack from others. When a victim enters a password into the fake login screen, that triggers a call to Office 365 APIs to actively validate that username/password combination against that organization's Azure Active Directory infrastructure.  

"This immediate feedback allows the attacker to respond intelligently during the attack," wrote Team Armorblox in a blog post about the attack. "The attacker is also immediately aware of a live, compromised credential and allows him to potentially ingratiate himself into the compromised account before any remediation."

If the login verification is successful, the user is redirected to zoom.com, likely as a diversionary tactic to make the process look like a benign glitch. If the authentication fails, the user is directed to login.microsoftonline.com, likely to hide the phishing attempt as a failed sign-on at the Office 365 portal.

In examining the attack, Armorblox found limited activity at the website hosting the attack. In addition, along with the timing of the lure email being sent — it was a Friday evening — the attack was carefully leveraged against that executive and organization.

"Our estimates show there have been 120-odd visits to this website globally since the beginning of June. The sparse number shows that the phishing scams are likely targeted and not spray and pray," they wrote. 

This is one example of many new and creative ways to exploit the interconnected nature of the Office 365 ecosystem through various phishing and business email compromise (BEC) schemes. 

For example, in late July Abnormal Security researchers reported an attack concocted to look like automated Sharepoint messages to snag employee credentials. And in early August researchers with Trend Micro reported a wave of BEC campaigns that have been targeting the Office 365 accounts of business executives since March. Meantime, a study released by Ironscales several weeks ago found some 9,500 different fake Microsoft login pages lurking online, all connected to different campaigns targeting Office 365.

At Black Hat USA this year, researchers Josh Madeley and Doug Bienstock presented on a range of different kind of tactics, techniques, and procedures (TTP) used by attackers against Office 365. They said the ecosystem has grown increasingly interesting to attackers as more enterprises fully embrace it for a range of different applications that reach far beyond email.  

"A lot of organizations have lifted their on-premise Exchange environment into the cloud without much consideration or awareness of the new risks and attacker vectors this exposes them to," according to Bienstock, in a separate interview. He explained that the combination of different valuable productivity environments like Outlook, OneDrive, SharePoint, and Teams open up a huge volume of sensitive data in a consolidated cloud platform. It's a vector ripe for attack, he pointed out.

In a recent Dark Reading News Desk interview during Black Hat, Madeley somewhat presaged the attack described by Armorblox by explaining that Azure Active Directory is a feature often overlooked as a threat vector for Office 365 organizations.

"It is, for most organizations, the authentication provider for their employees," he explained. "So if an attacker has access to that, they have access to sites that are integrated into active directory that are federated with Azure." 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
HiteshVectra
50%
50%
HiteshVectra,
User Rank: Author
9/11/2020 | 12:56:58 PM
The balance between securing all things O365 and securing the hybrid cloud
To add to the list, we have seen an increase in attacks via Teams. The first being attackers using a compromised account to add an external account to be a member of an existing O365 Teams account.  The other is attackers tricking users into installing applications into Teams environments which may undermine existing security controls, such as multi-factor authentication (MFA), and enable malicious action on behalf of the authorizing user.  So while the threat landscape seems to increase on a daily basis, we see customers putting more focus on identifying and stopping attacks in their hybrid cloud since that is typically the destination of the breach. And while there are ways to secure the entire threat landscape, SOCs typically don't have the capacity to secure every single thing nor the hours in a day to do so. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...