Security experts from Microsoft have issued an alert for Office 365 users to be on the lookout for phishing emails that contain spoofed addresses.
This campaign is “sneakier than usual”, Microsoft noted.
An active campaign that targeted Office 365 users tricked them into clicking on a link and entering their credentials. The attackers used various techniques to bypass security measures, among them Office 365 phishing page, Google cloud web app hosting, and a compromised SharePoint site.
“An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters,” the Microsoft Security Intelligence team said in a Twitter update.
The original addresses are used for sending emails with variations of the word “referral” and contain various top-level domains, including the domain com[.]com.
Phishing is a growing concern for businesses, which often require regularly updated training and solutions to prevent it, and cost Americans over $4 billion last year. Business email compromise (BEC) is considered the most costly type of attacks, more so than high-profile ransomware attacks.
BEC is a type of email phishing attack that uses compromised email addresses to infiltrate users’ accounts. It is very difficult to filter as it uses the same addresses as legitimate ones.
The current phishing emails look like a “file share” request that came from Microsoft SharePoint. They contain a fake Excel spreadsheet with bogus reports and bonuses. While, the main phishing URL for this email points at the Google App Engine domain AppSpot.
“The emails contain two URLs that have malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page,” Microsoft notes.
There’s a second link is found in the notifications settings and takes the victim to a compromised site. Both of these require the victim to enter their credentials to access the final page.
“The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages,” Microsoft notes.
Notablt, Microsoft’s new feature called Safe Links, which it claims will reduce phishing emails that users click on to avoid getting infected, is still not a bulletproof solution, as Microsoft’s warning shows.
Previously, both Microsoft and CISA highly recommended regularly updated phishing awareness training and security solutions, such as multi-factor authentication that doesn’t rely on text messaging.