Attackers attract the attention of victims with Microsoft Office 365-themed phishing emails that are more likely to get interacted with amidst the hype surrounding SolarWinds attacks on multiple private and state institutions.
Attackers target exclusively top executives, executive assistants, and financial departments across numerous industries, Area 1 Security firm reports.
According to the researchers, the campaign began in early December 2020 and is still ongoing targeting a large number of companies.
“The activity we observed was relatively large in comparison to what we usually see with such highly targeted attacks,” Area 1 Security‘s principal threat researcher Juliette Cash told Help Net Security.
In several cases, attackers targeted newly-selected CEOs. “It is highly likely that the attackers gained unauthorized access to accounts at those companies prior to sending the phishing messages,” Cash said.
“Fraudsters are constantly profiting off of angst surrounding ongoing cybersecurity scares, like the now-infamous SolarWinds breach, and they know that targets are likely to click out of fear that their noncompliance could be the source of another breach,” the researchers pointed out.
Threat actors initially try to gain access to an email account at the targeted company or their 3rd party partners and then use sensitive information gained to craft more persuasive phishing messages.
Attackers send most of the phishing emails from addresses on Microsoft-themed domains with properly configured SPF records, researchers said. The emails alert victims about “Important Service Changes” or “Important Security Policy Updates.”
“A majority of the targeted email accounts followed the format first name.last name@company domain, making the inclusion of full names in the attachments fairly effortless from an automated standpoint. However, even in cases where only initials appeared in the email address, the attackers still managed to include the target’s full name in the PDF attachment. This indicates that the threat actors conducted additional reconnaissance to carefully craft their phishing lures,” the researchers noted.
Once a victim opens an attachment, they see a fake Office 365 login page which in some cases was localized into the victim’s language, the researchers explained.
If the entered email address was not a valid Office 365 address, or an email address that uses Conditional Access, a different single sign-on (SSO), Active Directory Federation Services (ADFS), etc., the attackers would break the phishing attempt and redirect the victim to the legitimate sign-in page.