The attacks that are part of multiple ongoing phishing campaigns dubbed as the “Compact” Campaign, active since early 2020, have now started to bypass secure email gateways (SEGs) when targeting victims.
First detected by the WMC Global Threat Intelligence Team, the “Compact” Campaign phishing operation stole an estimated 400,000 Outlook Web Access (OWA) and Office 365 credentials since December 2020.
“Phishers continue to find success in using compromised accounts on email marketing services to send malicious emails from legitimate IP ranges and domains,” Microsoft’s security experts said on March 23 on Twitter.
Attackers take advantage of the configuration settings that make sure emails are delivered even if the security solution detects phishing.
Attackers camouflage their phishing emails as notifications from popular video conferencing services (Zoom), and various security and productivity products.
One tactic allows threat actors to pose as owners of secure email gateways and send fake emails from trusted domains. By using compromised accounts for email delivery services like SendGrid and MailGun, they take advantage of secure email gateways and get through security checks.
Once phishing messages land in the targets’ inboxes and the victim clicks on embedded hyperlinks, the attackers use phishing landing pages that mimic various Microsoft login pages.
“In December, the landing page impersonated the Outlook Web App brand to trick targets into entering their credentials,” WMC Global said in their report. “In January, the attacks changed to mimic Office 365 brand, likely to capture more employee credentials.”
Fake emails (Microsoft)
The phishing operation continues to evolve, according to researchers. It now abuses Amazon Simple Email Service (SES) and the Appspot cloud computing platform to generate multiple phishing URLs and distribute phishing emails.
“We shared our findings with Appspot, who confirmed the malicious nature of the reported URLs and used the shared intelligence to find and suspend additional offending projects on Appspot,” Microsoft said.
Since the Compact Campaign uses compromised email marketing accounts, Microsoft advised that organizations review their email flow rules for broad exceptions that may be letting phishing emails through.