In the United States, Microsoft 365 and Outlook customers are in the crosshairs of a successful certificate-stealing campaign that uses voicemail-themed emails as phishing scams. The researchers say that the flood of malicious emails threatening anchor Microsoft 365 symbolizes the larger problem of protecting the environment.
According to an analysis by Zscaler’s ThreatLabz, a highly targeted attack targeting specific verticals, including software security, the US military, security solutions providers, healthcare / pharmaceuticals, and manufacturing supply chains, has been under way since May.
The campaign has managed to compromise with a number of certificates, which can be used for various cyber crime endgames. These include accessing documents and taking accounts for information theft, confidentiality of correspondence, sending trusted business email compromise (BEC) emails, installing malware and penetrating deeper into corporate networks. User ID / password combos can also be added to the certificate-stuffing list in the hope that victims may have made a mistake in re-using passwords for other types of accounts (such as online banking).
“Microsoft 365 accounts are often a repository of data that can be widely downloaded,” said Robin Bell, CISO of Egress. “Hackers can also use compromised Microsoft 365 accounts to send phishing emails to victims’ contacts to maximize the effectiveness of their attacks.”
Voicemail Phishing Attack Chain
From a technical standpoint, the attacks follow a classic phishing trend – with a few quirks that make them even more successful.
The attack begins by sending the alleged missed-voicemail notification via email, which contains the HTML attachment.
HTML attachments often get past email gateway filters because they are not harmful. They also do not tend to raise red flags for users in the voicemail notification setting, as this is where valid office notifications are sent. And for added authenticity, the “from” fields in the email are specially created to align with the name of the target organization, according to a recent report. Zscaler blog post.
If a target clicks on the attachment, the JavaScript code will redirect the victim to the attacker-controlled certificate-harvesting website. According to researchers, these URLs are custom-made to match each target company.
“For example, when a person was targeted in Zscaler, the URL used the following format: zscaler.zscaler.briccorp[.]com /
Before the mark can access the page, a Google reCAPTCHA check pops up – a Increasingly popular strategy To avoid automated URL analysis tools.
Captchas are used to convince most Internet users of the challenges they face. Turing test-ish puzzles typically involve clicking on all the photos in a grid that contain a specific object, or typing a word presented as vague or distorted text. The idea is to eliminate bots on e-commerce and online account sites – and they serve the same purpose for crooks.
After successfully capturing targets, they are sent to a phishing page, where they are asked to enter Microsoft 365 certificates – which, of course, are immediately captured by bad guys at the other end of the URL.
“When faced with a login prompt like a typical O365 login, the person may feel comfortable entering their information without looking at the browser’s URL bar to make sure they are on the actual login website,” said Erich Kron, security awareness advocate. KnowBe4, says Dark Reading. “The familiarity, and the high adversity that an intended victim regularly uses O365 for anything in their workday, makes it a great temptation for attackers.”
Using voicemail as a temptation is not a new strategy – but it is a success. The current campaign is actually a resurgence of previous activity seen in July 2020, the researchers noted, noting a significant overlap in tactics, tactics and methods (TTPs) between the two fishing waves.
“These attacks target human nature, using tactics at play on our psychology to motivate their victims,” ​​Aggress Bell told Dark Reading. “So, despite investing in security awareness training, many companies are still victims of phishing. In addition, threat actors are creating increasingly sophisticated, highly credible attacks that many people cannot distinguish from the ‘real thing.’ Increased, because users often do not see the details as the actual sender’s information. “
Microsoft 365 continues to be a popular target
The cloud version of Microsoft’s productivity suite, formerly known as Office365 or O365 and renamed Microsoft 365 by the company, is used by over 1 million companies and over 250 million users. As such, it acts as a siren song to cybercrumbs.
According to a 2022 Egres report, “Fighting Phishing: An IT Leader’s Perspective“85% of companies using Microsoft 365 have reported phishing in the last 12 months, 40% of companies have had their certificates stolen.
“Microsoft O365 and Outlook are used by approximately 1 million companies, so they have a great opportunity to use these services of hunting and hunting organizations,” Bell said. “With so many accounts, hackers have a good chance of reaching targets with a low level of technical awareness, who are more likely to be attacked.”
The Microsoft 365 Fish is also a popular attack vector because it blends in with normal workday activities, Krone notes.
“We spend most of our workdays in a near-autopilot mode, almost automatically repeating tasks, as long as tasks are expected,” he explains. “It’s only when something unexpected happens that people take notice and apply critical thinking. For many of us, the act of logging in to an O365 portal is not unusual enough to raise our suspicions. The software invisibly sends information to a valid login portal resulting in a successful login and the victim never knows they have been deceived. “
How CISOs can protect against social engineering
Closing such threat vectors poses significant challenges for CISO, the researchers say, mainly because it is impossible to patch human nature. That said, user training to encourage employees to perform basic protections, such as checking URLs before logging in, can go a long way.
“We have to face the fact that social-engineering attacks, including phishing, whining and smashing, are here to stay,” Cron said. “Phishing has become almost commonplace since the inception of email, and it is too much to ignore the damage and loss that can be expected at best. CISOs need to understand these risks, and employees need to understand that in our modern world where everyone uses computers and processes. Information In some ways, cyber security is a part of everyone’s job, and will be for the future. “
Outside of this basic best practice, CISO should take back-end technology steps so that people make mistakes, because they will inevitably. And that, according to Bell, should go beyond standard secure email gateway filters.
“To really mitigate the risks, companies need the right technology,” he advises. “CISO needs to evaluate their security stacks, make sure they are increasing their email platforms with an extra level of security to keep their people and data safe. Partners with technology should help them identify even the most sophisticated attack This ensures that credentials and email accounts cannot be compromised by threatening actors. “
Kron recommends a commonsense defense approach that combines both technology and training.
“Those who do not recognize the CISO and try to deal with these attacks with fully technical equipment are less likely to succeed,” he said. “For those CISOs who understand that these attacks exploit human vulnerabilities and address human problems through education and training as well as establish a mix of technological controls, the results are often much better.”
