Security researchers at PhishLabs have unearthed a new phishing campaign targeting Office 365 administrator accounts that involves fraudsters using multiple validated domains to send emails to targeted users and asking them to click on links within such emails.
The researchers found that fraudsters behind the campaign are using valid accounts belonging to legitimate organisations to send emails to Microsoft Office 365 administrator accounts in order to lure the handlers of such accounts to fill in their payment details and Office 365 login credentials in phishing pages.
By delivering emails from a legitimate organisations’ Office 365 infrastructure, the fraudsters hope to convince targeted users that such emails are neither malicious nor fraudulent. Also, once they are able to take over Office 365 administrator accounts, the fraudsters can not only enjoy the elevated privileges of such accounts, but can also take over other email accounts on the domain.
After taking control over administrator accounts, fraudsters can also create new accounts within the organisation to abuse single-sign-on systems and can leverage the reputation of the compromised domain in order to send out a new wave of attacks, the researchers said.
They explained that this phishing campaign involves fraudsters gaining some level of administrative control over the sender’s Office 365 installation, creating a new account on the domain, and then send phishing emails from the new account to Office 365 administrator accounts belonging to other organisations.
Enforcing MFA can prevent phishing attacks targeting Office 365 administrative accounts
“The creation of a separate account to distribute their phishing campaign is another technique used to avoid detection by the compromised organisation. By using a created account, the attacker does not need to worry about a legitimate user stumbling upon the malicious activity taking place, either by observing outgoing mail or receiving automated responses from failed delivery attempts,” they added.
“While a creative campaign, this type of attack is nothing new. Organisations are able to protect against attacks like these enforcing multi-factor authentication (MFA) within their corporate environments,” says Stuart Sharp, VP of solution engineering at OneLogin.
“Administrative accounts should be protected using strong MFA, such as hardware tokens or on-device biometrics to protect against more sophisticated OTP attacks. These solutions are currently the best methods by which organisations can protect themselves from such attacks, with MFA proven to prevent 99.9% of account takeovers,” he adds.
Javvad Malik, security awareness advocate at KnowBe4, says that the big challenge with these attacks is due to the changing domains, the nature of wording and even the hiding of malicious pages behind captchas makes it extremely difficult, if not impossible, for technological offerings such as email gateways to effectively protect against.
“Therefore, user awareness and training will remain the most effective and important step in protecting enterprises against such phishing attacks. Other controls that can help minimise the impact of compromised credentials include multi factor authentication, and having good monitoring controls in place that can detect and raise alerts wherever suspicious activity is detected,” he adds.