A sophisticated phishing campaign has managed to evade built-in Microsoft security defences, hoping to steal O365 credentials.
This phishing campaign wanting to steal Microsoft login credentials is using Google Firebase to bypass email security measures in Microsoft Office 365, researchers have revealed.
Researchers at Armorblox found invoice-themed emails sent to at least 20,000 mailboxes that pretend to share information about an electronic funds transfer (EFT) payment. The emails carry a fairly neutral subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” & contain a link to download an “invoice” from the cloud.
Clicking that link begins a series of redirects that eventually takes targets to a page with Microsoft Office branding that is hosted on Google Firebase. That page is a phishing page, designed to harvest Microsoft log-in information, secondary email addresses & phone numbers.
The attackers could use this information to take over accounts & steal information, but they could create further chaos as well.
“Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances & family members,” states Armorblox.
Microsoft O365 Attack Flow
The link in the email claims to download a file called “Payment Notification – PDF.” It takes users to a landing page, which researchers observed has a supposed “download” button on the top right.
Hovering over the link shows that the file is hosted on Google Firebase, which is a development environment for building custom web & mobile apps – for, say, internal enterprise use.
“The downloaded ‘invoice’ might have PDF in its file name, but it’s actually an HTML file,” explained Armorblox researcher Rajat Upadhyaya, in a blog on Thurs. “Opening an HTML file loads an iframe with Office 365 branding. The page displays a thumbnail along with a link to view the invoice.”
Clicking the thumbnail or “View File” link leads to the final phishing page, asking victims to log in with their Microsoft credentials, & asks them to provide alternate email addresses or phone numbers – an effort to collect data that could be used to get around 2-factor authentication (2FA) or account recovery mechanisms.
After the details are loaded, the login portal reloads with an error message, asking the user to enter correct details.
“This might point to some backend validation mechanism in place that checks the veracity of entered details,” Upadhyaya commented. “Alternately, attackers might be looking to harvest as many email addresses & passwords as possible & the error message will keep appearing regardless of the details entered.”
Bypassing E-mail Security
This campaign is notable for the variety of tactics employed to avoid email security defences.
“This email attack bypassed native Microsoft email security controls,” the researcher noted. “Microsoft assigned a Spam Confidence Level (SCL) of ‘1’ to this email, which meant that Microsoft did not determine the email as suspicious & delivered it to end-user mailboxes.”
The redirect flow is complex, which helps mask the malicious nature of the messages, according to Upadhyaya, who noted that this kind of obfuscation is a common method to defeat security defences that check for fake login pages.
“Clicking the email link goes through a redirect & lands on a page with the parent domain ‘mystuff[.]bublup[.]com,’” he explained.
“The redirect has the parent domain ‘nam02[.]safelinks[.]protection[.]outlook[.]com’, showing that the link was rewritten by native Microsoft security controls even though it was a malicious link.”
By hosting the phishing page HTML on Google Firebase, a very trusted domain, the emails were able to sneak past built-in Microsoft security filters, including Exchange Online Protection (EOP) & Microsoft Defender for Office 365.
“Reputed URLs like that of Firebase will fool people (& email security technologies) into thinking that clicking the link will retrieve the invoice whose thumbnail is displayed,” the researcher stated.
Firebase has been used in earlier attacks; for instance, in 2020 a series of phishing campaigns using Google Firebase storage URLs emerged, revealing that cybercriminals continue to use the reputation of Google’s cloud infrastructure to fool victims & bypass secure email gateways.
The emails also passed authentication & anti-spoofing measures using a mass-email system used for newsletters & other legitimate communications.
“The email was sent from a personal Gmail account via SendGrid,” Upadhyaya commented. “This resulted in the email successfully passing authentication checks such as SPF, DKIM & DMARC.”
DMARC (Domain-based Message Authentication, Reporting & Conformance) is considered the industry standard for email authentication to prevent attackers from sending mails with counterfeit addresses.
It does so by authenticating the sender’s identity before allowing the message to reach its intended designation & verifying that the purported domain of the sender has not been impersonated.
Mitigate Email Threats
To create better protection against email-borne threats, employees should be trained to engage with emails related to money & data with an “eye test” that includes inspecting the sender name, sender email address, language within the email & any logical inconsistencies within the email (i.e., if a supposed PDF file has an HTML extension), according to Armorblox.
Other defences include implementing 2FA & implementing password management best practices.