Office 365 Phishing Attack Using Real-Time ValidationOrhan Sari
To steal Office 365 login information from users, criminals used a phishing attack that used real-time validation against an institution’s Active Directory. It was reported that the attack was made against an executive of a financial organisation.
The email, along with the subject line “ACH Debit Report,” used spoofing tactics to try to trick the recipient into thinking that it was an internal final report. An internal email address was not used in the email sent using the j.q.zehfsje.com subdomain.
Figure 1. The Outlook 365 Real-time Phishing Attack
The phishing email instructed the recipient to open what appeared to be a text file. When the victim opened this file, he came across a fake copy of Microsoft Office 365 service.
Attackers are constantly improving themselves and their attack methods. This fake portal also well-prepared example of a phishing attack. Because even had the recipient’s username pre-entered in the corresponding text field.
Figure 2. The Outlook 365 Fake Login Page
When this imposter portal was examined, it was noticed that it was prepared with customizable tools used to create phishing emails. It was also found that they used the Amazon Simple Email Service (amazonses.com) to send phishing emails.
The fake Office 365 page prepared was determined to use the Office 365 APIs in the background in order to perform the Active directory validation of the victim’s credentials in real-time. With this technique, in real-time, attackers were able to get feedback based on the actions of the users.
Teenagemoglen.com hosts the web service behind the phishing credential website. The domain has been registered as of the end of May 2020 with a Singapore domain registrar at Alibaba.com. The website is hosted by UnifiedLayer, a hosting company based India at a datacenter in Provo, Utah, United States. The website appears as hosting copied web pages from another website. No links appear to be active which enable active interaction with a visitor.
More than 150 victims were found that visited the page after the attack took place. With these findings, it was clear that this was a target-oriented phishing attack.
How to prevent the Office 365 phishing attack?
Find a strategy for cybersecurity awareness training that uses entertaining, learning elements to inspire people and organisations to become a cyber-threats defender. Your employees must learn how not to get hacked, which makes them the first line of defence against more sophisticated phishing attacks or email security risks today.
Keepnet Labs phishing awareness training will help people to make better decisions and circumvent phishing threats or other social engineering attacks. When phishing awareness training is combined with phishing simulator, employees will counter the real-life scenarios and recognise and respond to fake emails more quickly.
Also, you can view another blog post “New Outlook Themed Phishing Attack on Banking Sector“.
Want to protect your organisation against Office 365 Phishing Attacks? Use our phishing attack simulator. See our quickstart video below.