Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Microsoft Office 365. Show all posts

Phishing Attackers Spotted Using Morse Code to Avoid Detection

 

Microsoft has revealed details of a deceptive year-long social engineering campaign in which the operators changed their obfuscation and encryption mechanisms every 37 days on average, including using Morse code, in an attempt to hide their tracks and steal user credentials. 

One of numerous tactics employed by the hackers, who Microsoft did not name, to disguise harmful software was Morse Code, a means of encoding characters with dots and dashes popularised by telegraph technology. It serves as a reminder that, despite their complexity, modern offensive and defensive cyber measures are generally based on the simple principle of hiding and cracking code. 

The phishing attempts take the shape of invoice-themed lures that imitate financial-related business transactions, with an HTML file ("XLS.HTML") attached to the emails. The ultimate goal is to collect usernames and passwords, which are then utilized as an initial point of access for subsequent infiltration attempts. 

The attachment was compared to a "jigsaw puzzle" by Microsoft, who explained that individual pieces of the HTML file are designed to appear innocuous and slip by the endpoint security software, only to expose their true colors when decoded and joined together. The hackers that carried out the attack were not identified by the company.

"This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving," Microsoft 365 Defender Threat Intelligence Team said in an analysis. “On their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions." 

When you open the attachment, a counterfeit Microsoft Office 365 credentials dialogue box appears on top of a blurred Excel document in a browser window. The dialogue box displays a message requesting recipients to re-sign in since their access to the Excel document has allegedly expired. When a user types in a password, the user is notified that the password is incorrect, while the virus stealthily collects the information in the background. Since its discovery in July 2020, the campaign is reported to have gone through ten iterations, with the adversary occasionally changing up its encoding methods to hide the harmful nature of the HTML attachment and the many assault segments contained within the file. 

According to Christian Seifert, lead research manager at Microsoft's M365 Security unit, the hackers have yet to be linked to a known group. “We believe it is one of the many cybercrime groups that defraud victims for profit,” Seifert said.

Microsoft Warns Office 365 Users of 'Sneaky' Phishing Campaign

 

Microsoft's Security Intelligence staff has issued an alert to Office 365 users and administrators to watch out for a sneaky phishing email with fake sender addresses.

Researchers at Microsoft noticed an active campaign targeting Office 365 organizations with cogent emails and several strategies to evade phishing detection, including an Office 365 phishing page, Google cloud web app hosting, and an exploited SharePoint site that entices victims to write in their credentials.

“An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters," the Microsoft Security Intelligence team said in an update. 

“The original sender addresses contain variations of the word "referral" and use various top-level domains, including the domain com[.]com, popularly used by phishing campaigns for spoofing and typo-squatting.”

The fraudsters are using Microsoft SharePoint in the display name to tempt victims to click the link. Researchers identified phishing emails that seemed as if they were sent from a trusted source. Many of these emails contained a "file share" request to access bogus "Staff Reports", "Bonuses", "Pricebooks", and other content hosted in a supposed Excel spreadsheet. It also contained a link that navigates to the phishing page and plenty of Microsoft branding.

“The emails contain two URLs that have malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page,” Microsoft notes.

Phishing campaigns have skyrocketed with the emergence of remote jobs due to Covid-19. It continues to be a tricky issue for businesses to stamp out, requiring regularly updated phishing awareness training and technical solutions, like multi-factor authentication on all accounts – which both Microsoft and CISA highly recommend. 

According to the FBI's latest figures, phishing attacks have cost Americans more than $4.2 billion last year. Fraudsters employ business email compromise (BEC) attacks, which rely on compromised email accounts or email addresses that are similar to legitimate ones, and are difficult to filter as they blend within normal, expected traffic. BEC attacks are far more costly than high-profile ransomware attacks.

Researchers at Microsoft have published details on GitHub regarding the architectures connected to the spoofed emails mimicking SharePoint and other products for credential phishing. "The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages," Microsoft added.

Hacked SendGrid Accounts used In Phishing Attacks To Steal Logins

 

A new cyber campaign has come to known as a phishing attack. Outlook Web Access and Office 365 services users are being targeted. The campaign collected the credentials of thousands of customers relying on trusted domains such as SendGrid. 

The campaign named “Compact”, the Cyber actors behind these phishing attacks have been operating this campaign since the beginning of 2020 and it is being estimated that the campaign has successfully been able to collect over 400,000 sensitive credentials from multiple companies. 

The phishing campaign operators used Zoom invites as a lure along with an extensive list of email addresses and used this information in sending messages from hacked accounts on the SendGrid cloud-based email delivery platform. Since SendGrid is a trusted Simple Mail Transfer Protocol (SMTP) provider, the messages had very less chances of not reaching their destination and being blocked by email protection technology. 

Researchers at WMC Global, makers of the PhishFeed real-time phishing intelligence service, highlighted some mistakes of the campaign operators. Those mistakes allowed them to analyze how the data has been moved from the phishing site into the hands of the operator. 

Researchers analyzed that each phishing campaign successfully collected 3,700 credential addresses, which would make the total from various Compact campaigns around 400,000 unique credentials. 

WMC Global stated that “Earlier operations used compromised SendGrid accounts to deliver the phishing emails and then moved to MailGun, a developer-centric email service with APIs that allows sending, receiving, and tracking messages”. 

WMC believes “that the switch to a different service was determined by their collaboration with SendGrid to restore compromised accounts to the legitimate owners. Also, the phishing website of the Compact campaign had distinct fingerprints in the code that permitted monitoring and detecting of a new site as soon as it became life…”

 “…We found a landing site impersonating Outlook Web App in December 2020 and another one in January 2021 that pretended to be for Office 365 login”, the company added. 

Searching the website source code, the researchers were able to steal locations and credential logs in text files. The attackers behind the Compact campaigns had created the exfiltration code on various compromised legal websites. 

While analyzing log data researchers noticed that employees who are working at notable companies had fallen for the Compact phishing campaign. At present, the Compact operators are using an Office 365 theme that continues to be active and is the most prevalent. 

WMC Global stated that “the latest email campaigns were noisy enough to attract attention but the tactics, techniques, and procedures observed point to other campaigns that used different phishing themes (Excel, OWA, Outlook Web Access Exchange, 1&1 Ionos, Rackspace)”.

Microsoft Office 365 users will now be able to view their quarantined phishing messages

 

Microsoft Office 365 will now let users view their phishing messages that are automatically screened by Exchange Online Protection (EOP) filter. 



Through this new venture, users will now be able to reclaim that had been unwittingly marked as spam or phishing by EOP. (EOP- a cloud-based filtering service that scans messages and restricts malicious emails like spams, phishing emails, malware attachments from reaching to the end-user) 

"We understand that managing false positives is important to ensuring an email is delivered appropriately, and in the past, end-users weren't granted access to the quarantine to view messages," Microsoft debriefs on the new feature.

However, the new feature will be available as "read-only" access but the user can request a particular message to be dropped in the inbox that might have been accidentally quarantined. This new Office 365 ATP Request Release feature will be available to all users with the Advanced Threat Protection plan this month. 

Office also released a similar feature not too long ago - Application Guard which opens all files from unsafe locations in a secluded sandbox. This isolated sandbox doesn't allow malicious files to corrupt the device and software by not letting the file download any data, file, or extension from the attacker's server. 

Upcoming ATP security features and tools- 

Office 365 is alluding to enhance their security in the third quarter of the year with various new security features in the charts- 

  •  Improving Office 365 ATP Threat Explorer 
To elevate it's distinguishing ability to sort between malicious, spam, or phishing emails.

  •  Disable default email forwarding to external recipients
In order to prevent data theft and "automated malicious content blocking" to all users despite their custom settings.

  •  More transparency through email pathways-
Office ATP users would get more information on the route incoming emails take through Office's EOP (Exchange Online Protection) filtering system and they would know more about the "effectiveness of any security configuration changes" according to bleepingcomputer.com.

  •  New Configuration Analyzer 
This new feature is suspected to release in Q3 and would make it easier to compare your security policies settings efficacy to Office's recommended settings.

Hackers abusing .slk files to attack Microsoft 365 users


Avanan’s Security Analysts have recently discovered a threat bypassing Microsoft 365 security, the attack uses .slk files to avoid detection.


The attack groups send emails containing .slk file as an attachment with macro (MSI exec script) to download and install the trojan. Although this attack is limited to Microsoft 365, bypassing both of its default security (EOP) and advanced security (ATP), it does put around 200 million-plus users in jeopardy.

 By far Gmail users are safe from this threat as Google blocks .slk files and does not allow to be sent as an attachment.

The attack

“Symbolic Link” (SLK) file is an older human-readable text-based spreadsheet format last updated in 1986. Back when XLS files were private, .slk were open-format alternative for XLS but then XLSX was introduced in 2007 and there was no longer the need of .slk. Now, to the user, these .slk files look similar to an Excellent document and let the attacker move through Microsoft 365 security.

This latest discovery by Avanan’s Security Analysts reveals that these files when installed run a command on the Windows machine. It drives Windows Installer to install any MSI package quietly. This particular attack installs a hacked version of the off-the-shelf NetSupport remote control application giving the attacker full control of the desktop.

Where did the mails come from? 

The majority of the malicious emails were sent from a disposable email address like, “randomwords1982@hotmail.com”.

These mails were sent from Hotmail and for a good reason, "While most of the well-known anonymous email sending engines deserve their poor spam and phishing reputations, Hotmail users benefit from Microsoft’s own reputation. Since the service was merged with its own Outlook application, Microsoft seems to grant them a higher level of trust than external senders", reports Informationsecuritybuzz.com.

 The peculiar thing about these emails is that they are manually created and targeted personally. No two mails are alike, each one with a different subject and body especially crafted for the receiver with the subject and matter that concerns them.

How to prevent the attack?

The best method to avoid this attack is to simply configure your Office 365 to reject files with .slk extension at least till Microsoft fixes the issue.

Phishing Attacks: Via Scraping Branded Microsoft Login Pages!


Phishing Attacks: Via Scraping Branded Microsoft Login Pages!



The latest phishing attack attacks using the targets’ company-branded Microsoft 365 tenant login pages just to make it look more believable.

Microsoft’s Azure Blob Storage and the Azure Web Sites cloud storage solutions are also under usage for finding solutions to host their phishing landing pages.

This helps the users think that they’re seeing a legitimate Microsoft page. This aids the cyber-con to target Microsoft users and get their services credentials.

This phishing campaign is mostly about scraping organizations’ branded Microsoft 365 tenant login pages just to fool the targets.

The above observations were made as a part of s research of the Rapid7’s Managed Detection and Response (MDR) service team, say sources.

The cyber-criminals actually go through the list of validated email addresses before they plan on redirecting the victims to the phony login pages.

They put up actual looking logos of the brands that they want to copy and that’s what helps them to scrape the tenant login page.

In case the target organization doesn’t have a custom branded tenant page, the phishing kit is designed to make use of the default office 365 background.

The same campaign’s been launched at various different companies and organizations including in financial, insurance, telecom, energy and medical sectors.


There are several points at hand that hint at the phishing campaign still being active. In fact someone may be updating it for that matter at different times.

The “phisher” behind the campaign could easily be exploiting the “Lithuanian infrastructure”.

Besides the using the phony Microsoft phony page and stealing credentials the campaign also is up for exploiting cloud storage services.

For landing page hostings also, the campaign works perfectly. Phishing kits were discovered in April this year.

IPFs gateways were also abused by phishing attempts by using TLS certificates issued by Cloudflare, last year in October.

Per sources, the following advises and measures should be taken at once by organizations using the Microsoft office 365:
·       Multi-factor authentication via Office 365 or a third party solution for all employees.
·       Enrolling staff in phishing awareness training programs.
·       Training to help the employees spot and report phishing attacks.