The most common phishing attacks can often be quite convincing, but some more technologically-aligned users recognize something isn’t right when they see that the login form is unsecured or the SSL certificate doesn’t match the company being impersonated.
Nevertheless, there is a new phishing attack that stores their phishing form on Azure Blob Storage, so that it is secured by a Microsoft SSL certificate, making its victims believe that they are indeed a legitimate website. The phishing attack is an Office 365-based attack.
Azure Blob storage is a service that allows for storing large amounts of unstructured object data, such as text or binary data. This data can then be accessed anywhere in the world using HTTP or HTTPS. When the user connects via HTTP or HTTPS, a SSL certificate will be displayed, making it difficult for even competent users to tell it’s a phishing attack.
Cloud security provider Nekskope recently uncovered this method being used. The attackers have been sending victims emails with a PDF attachment that pretend to be from a law firm in Denver. The attachments are innocently named “Scanned document. Please review” and contains a button to download the PDF. When the target clicks on the button they are brought to a HTML page masquerading as an Office 365 login form. The URL may trigger some savvy users to be suspicious, but the SSL may be enough to convinced them that this is a secured and legitimate Microsoft site.
At face value, seeing a Microsoft domain and a Microsoft-issued SSL certificate, on a site asking for Office 365 credentials is pretty strong evidence that the site is legitimate, and are likely enough to convince a user to enter their credentials.
Cyber Security Researchers have since reported the sites they discovered. But for added security and peace of mind, Netskope recommends that users always check the domain of the link and be aware of the domains typically used at login, particularly with sensitive services – such as banks and secure network domains for enterprises. Organizations should also keep systems and antiviruses updated with the latest releases and patches.