8 December 2020

A large-scale phishing campaign aimed at millions of Microsoft 365 users across the globe


A large-scale phishing campaign aimed at millions of Microsoft 365 users across the globe

A new global spear-phishing attack is underway targeting 200 million Microsoft Office 365 users around the world, particularly within the financial services, healthcare, insurance, manufacturing, utilities, and telecom sectors, according to a new report from Ironscales.

The researchers said they spotted a well-organized phishing campaign two weeks ago leveraging an exact domain spoofing technique, which occurs when an email is sent from a fraudulent domain that is an exact match to the spoofed brand’s domain. This particular attack involves a realistic looking email from sender “Microsoft Outlook”, attempting to compel potential victims to make use of a Microsoft Office 365 feature, which allows for “reclaiming emails that have been accidentally marked as phishing or spam messages.”

Using “fear-inducing” language the phishing email attempts to convince users to click on malicious link provided in the message. This link purportedly would redirect users to a security portal in which they can review and take action on “quarantined messages” captured by the Exchange Online Protection (EOP) filtering stack, but in reality it will lead victims to a fake login page designed to capture users’ legitimate Office 365 login credentials.

“Once the link is clicked, users are asked to input their legitimate O365 login credentials on a fake login page, mistakenly believing that they are providing their private information to Microsoft online. Unbeknown to them, attackers are harvesting these credentials (usernames and passwords), most often to illegally obtain proprietary or confidential information, enact financial fraud or to sell online,” the report said.

The researchers noted that Microsoft servers are not currently enforcing the DMARC protocol, which means these exact domain spoofing messages are not being rejected by gateway controls, such as Office 365 EOP and ATP.

“Any other email service that respects and enforces DMARC would have blocked such emails. It remains unknown as to why Microsoft is allowing a spoof of their very own domain against their own email infrastructure,” the researchers said.


Back to the list

Latest Posts

Security researcher published PoC exploit for Zoho ManageEngine ADAudit Plus bug

Security researcher published PoC exploit for Zoho ManageEngine ADAudit Plus bug

Using this vulnerability, a cybercriminal can get the remote access to sensitive information.
4 July 2022
Microsoft found Raspberry Robin worm in networks of hundreds of organizations

Microsoft found Raspberry Robin worm in networks of hundreds of organizations

While Raspberry Robin was first discovered in September 2021, it was active long before that.
4 July 2022
Half of 2022's 0-days are variants of 2021’s 0-days

Half of 2022's 0-days are variants of 2021’s 0-days

In the first half of 2022, Google’s Project Zero team identified eighteen 0-day vulnerabilities, and at least nine of them are variants of previously fixed flaws.
4 July 2022