Deceptive phishing has been proliferating recently with campaigns appearing to come from the “Office 365 Team”. Phishing emails are warning recipients that there has been an unusual amount of file deletions occurring on their account. The phishing campaign pretends to be a warning from the Office 365 service that states a medium-severity alert has been triggered. It then goes on to say that there has been a high amount of file deletions occurring in their Office 365 account and that the user should review the alerts.
Analysis
- When the user is baited and enters their password, the email address and password are sent to https://moxxesd.azurewebsites.net/handler.php which is under the attacker’s control. This page will save the inputted credentials so that the phisher can retrieve them later.
- The landing page will then redirect a victim to the legitimate https://portal.office.com where they will be prompted to login again.
- Hosted on Azure, the site is secured with a certificate signed by Microsoft. This adds legitimacy to the scheme by making it appear as a Microsoft-sanctioned URL. Azure is increasingly being used by scammers for this purpose.
Recommendation on Office 365 phishing emails
- Closely examine phishing landing page URLs for suspicious domains. By hosting phishing pages on Azure, landing pages are now located on domains like windows.net and azurewebsites.net, and it gets a bit trickier.
- Microsoft accounts and Outlook.com logins; it is important to remember that the login forms will be coming from microsoft.com, live.com, microsoftonline.com, and outlook.com domains only. If you are presented with a Microsoft login form from any other URL it should be avoided.
- We recommend using a password manager that can help minimize the effects of both these approaches, as users can choose long, complex passwords that are difficult to attack via brute force and the application will not work with spoofed login pages.
- It is important that organisations employ techniques to block known phishing URLs at the business email and gateway level, block known emails from reaching networked users and to prevent user from reaching such urls via the web gateway.
- A compromised Microsoft password is likely to have critical consequences for the organisation.
