Microsoft Seizes Malicious Domains Used In Mass Office 365 Attacks
Microsoft has seized control of several malicious domains that were used in COVID-19-themed phishing attacks against its customers in 62 countries around the world. The sophisticated phishing attacks, which first began in December, have since compromised Office 365 accounts in 62 countries. The attackers behind the campaign have gained access victims’ emails, contact lists, sensitive documents and other valuable information, according to Microsoft.
The software maker and cloud-service provider last week obtained a court order that allowed it to seize six domains, five of which contained the word “office.” The company said attackers used them in a sophisticated campaign designed to trick CEOs and other high-ranking business leaders into wiring large sums of money to attackers, rather than trusted parties. An earlier so-called BEC, or business email compromise, that the same group of attackers carried out in December used phishing attacks to obtain unauthorized access. The emails used generic business themes such as quarterly earnings reports. Microsoft used technical means to shut it down.
The attackers returned with a new BEC that took a different tack: instead of tricking targets into logging in to lookalike sites, and consequently divulging the passwords, the scam used emails that instructed the recipient to give what was purported to be a Microsoft app access to an Office 365 account. The latest scam used the COVID-19 pandemic as a lure.
In more recent, renewed phishing attacks, however, the emails contained phishing themes leveraging the ongoing coronavirus pandemic a commonly used lure for email scams, malware attacks and other malicious activities since March.
A recent phishing campaign for instance leveraged novel training programs that are required for employees in the workplace to comply with coronavirus regulations. The campaign, targeting Office 365 users, sent an email that includes a link to register to the training: “COVID-19 Training for Employees: A Certificate for Health Workplaces.”
Microsoft said that the emails related to this campaign in particular utilized pandemic-related financial concerns – with attachments labelled as a “COVID-19 Bonus,” for instance.
Victims who clicked on the attachments in the campaign were then prompted to grant access permissions to a malicious web application (web apps are commonly used by organizations for productivity purposes). After clicking through the consent prompt for the malicious web app, cybercriminals then received permission to access and control the victims’ Office 365 account contents, including email, contacts, notes and material stored in the victims’ OneDrive for Business cloud storage space and corporate SharePoint document management and storage system.
Burt cited a 2019 report from the FBI that said BEC crimes caused losses of more than $1.7 billion, almost half of all financial losses caused by Internet crime. BECs were the most costly complaint received by the Internet Crime Center, according to the report. In some of the more well-executed campaigns, executives receive emails that appear to come from managers, accountants, or other people who work for the organization.
Burt didn’t give the name or affiliation of the hackers other than to say they were sophisticated and had carried out the December campaign.
Beware of OAuth
It’s not the first time attackers have tricked targets into granting network access to malicious apps. Last year, researchers disclosed at least two others, both of them designed to gain access to Google accounts. One was carried out by hackers working for Egypt, according to a report from Amnesty International. The other targeted the iOS and Android devices of Tibetans.
Both campaigns relied on OAuth, an open standard that allows users to give websites or apps access to network resources without having to give them a password. As Microsoft said, such attacks often fly under the radar of users trained to spot phishing, since there’s no request to enter a password into a fake site. In some cases, the OAuth technique may have the ability to bypass two-factor authentication, which in addition to a password, requires users to enter a temporary password or to connect a physical security key to the device that’s being authenticated.
One way to protect Google and G Suite accounts against OAuth scams is to turn on Advanced Protection, which strictly enforces hardware-based 2FA for every new device or app logging in for the first time. The program also restricts all but a handful of apps from connecting even when a key is provided, so it may not be suitable for all users. It’s possible that other 2FA protections do the same.
Other ways to avoid the scams is to learn the telltale signs of phishing, such as misspelled words, bad grammar, and links to sites that name a company or product but combine it with words that aren’t commonly used by the app maker or website operator. Wednesday’s post provides a variety of ways to spot malicious OAuth apps. These measures are hardly perfect, and as a result, the effectiveness and low cost of phishing makes it one of attackers’ go-to methods for compromising accounts.
The steps are nonetheless worth following.