Fresh Spear-Phishing Email Spoofs Microsoft DomainResearchers Say Fraudsters Are Likely Harvesting Office 365 Credentials
An ongoing spear-phishing campaign is spoofing the official Microsoft.com domain name and targeting users of the company's Office 365 suite, according to security firm Ironscales.
While the phishing emails have been located in a "few thousand mailboxes" to date, the Ironscales report finds that nearly 200 million users of Office 365 could be at risk since the messages originate with a spoofed domain that is an exact replica of the Microsoft.com domain.
The spear-phishing emails, so far, have targeted Office 365 users in the financial services, healthcare, insurance, manufacturing, utilities and telecom industries, according to the report. In this campaign, the fraudsters are likely attempting to harvest users' credentials.
"This spear-phishing campaign is putting companies at high risk since even the most savvy employees - those who know how to check sender addresses - are likely to perceive the message as legitimate," Lomy Ovadia, a researcher with Ironscales, noted in the report released Monday.
Exact Domain Spoofing Technique
In the phishing campaign that Ironscales uncovered, the fraudsters are deploying what the researchers call an "exact domain spoofing technique," which is when an email is sent from a fraudulent domain that is an exact match of the spoofed brand's domain.
"The attackers devised a realistic-looking email from sender 'Microsoft Outlook,' attempting to compel users to take advantage of a relatively new O365 capability which allows for reclaiming emails that have been accidentally marked as phishing or spam messages," researchers note.
The fraudulent messages are composed of urgent - and somewhat fear-inducing - language, intended to convince users to click on what is a malicious link without hesitation, according to the report.
"As inferred by the message, the link will redirect users to a security portal in which they can review and take action on 'quarantined messages' captured by the Exchange Online Protection (EOP) filtering stack, the new feature that has only been available since September," the Ironscales researchers note.
If a user clicks the link, they are directed to input their legitimate Office 365 login credentials on a fake login page, according to the report. From there, the usernames and passwords are harvested and likely then bundled and sold on darknet forums, according to the report.
The report notes that these phishing emails were able to bypass secure email gateways installed by the targeted companies to stop these types of attacks from happening.
"The reason why [secure email gateways] can traditionally stop exact domain spoofing is because, when configured correctly, this control is compliant with the domain-based message authentication, reporting & conformance (DMARC), an email authentication protocol built specifically to stop exact domain spoofing (SPF/DKIM)," according to the report.
In this case, however, the Ironscales researchers found that Microsoft servers are not currently enforcing the DMARC protocol, which means these exact domain spoofing messages are not being flagged by the security controls in Office 365, according to the report.
A spokesperson for Microsoft tells Information Security Media Group: "Contrary to claims in the third-party report, Office 365 has rich in-built controls to block domain spoofing emails and enforces DMARC checks. We encourage all customers to make sure they have deployed the latest security controls in Office 365, enabled multi-factor authentication for Office 365, and train their end-users to observe caution when clicking on links from unknown senders.”
Since the onset of the COVID-19 pandemic, security experts have warned that fraudsters and cybercriminals are increasingly using spoofed websites of prominent brands and government institutions.
In November, the FBI identified nearly 100 spoofed websites that use some incarnation of the agency's name. Fraudsters and other cybercriminals potentially could leverage these for disinformation campaigns and credential theft (see: Fraudsters Spoof FBI Domain).
Also in November, researchers at Abnormal Security uncovered a phishing campaign that spoofed the U.S. Internal Revenue Service domain in an attempt to trick targeted victims into sending money to fraudsters (see: IRS Domain Spoofed in Fraud Campaign).
In October, security firm Proofpoint found a phishing campaign that spoofed the U.S. Election Assistance Commission domain to harvest banking credentials, account data and vehicle identification information (see: Fraudsters Alter Election Phishing Scam).