As more organisations move to Office 365, cyber-criminals are using Outlook, Teams & other Microsoft-themed phishing lures to swipe user credentials.
Nearly half of phishing attacks in 2020 aimed to steal credentials using Microsoft-related lures – from the Office 365 enterprise service line-up to its Teams collaboration platform.
Says a Tues. report by Cofense, which analysed millions of emails related to various attacks, 57% were phishing emails aiming to steal victim usernames & passwords. The remainder of malicious emails were utilised in business email compromise (BEC) attacks or for malware delivery.
Office 365
Of those phishing emails, 45% were Microsoft-themed, observed researchers: Cyber-criminals are both relying on Microsoft-themed lures for their emails, as well as using ensuing phishing landing pages that either spoof or use legitimate Microsoft domains or services.
“With the number of organisations migrating to Office 365, targeting these credentials allows the threat actor to gain access to the organisation as a legitimate user to go undetected,” researchers with Cofense explained.
They added that they “highly recommend organisations enable multi-factor authentication along with their Office 365 migration/ implementation.”
Microsoft Users Under Attack
Malicious email lures can vary; it could be a straightforward “‘Joe wants to share a document with you’ SharePoint alert you would normally see from Microsoft,” researchers explained — or it could be a simple attached file that includes a link to a website asking users to login with Microsoft credentials.
One phishing campaign in Oct. pretended to be an automated message from Microsoft Teams telling victims they had a missed Teams chat. In reality, the attack aimed to steal Office 365 recipients’ login credentials.
Embedded URLs
Another Dec. attack used embedded URLs that redirected to fake, never-seen-before Microsoft Office 365 phishing pages. The attack started with emails impersonating businesses like eFax, which is an internet fax service that allows users to receive faxes via email or online.
“We also see cyber-criminals giving the user options to choose from the most commonly used email platforms,” outlined researchers. “The phishing emails often contain URLs hosted on legitimate domains that maintain a broad consumer base to avoid being blocked by content rules & filters.”
According to researchers, beyond the 45% of credential-stealing phishing attacks targeting Microsoft, the next-largest category was “generic”– meaning there was not a specific brand associated with the email or the landing page asking the recipient to log in.
Google Forms
However, beyond Microsoft’s trusted collaboration services such as SharePoint, OneDrive or Office 365, researchers said they have seen other cloud provider products being leveraged in attacks. This includes Google (such as Google Forms), Adobe & file-sharing services.
“Other popular brands we observed asking for credentials were other various cloud hosting services such as Adobe, Dropbox, Box, DocuSign or WeTransfer,” researchers stated.
“Threat actors have been able to scour the internet looking for file-sharing websites that are deemed ‘business related’ in order to make it past the secure email gateway controls, as well as the web proxy filters.”
Finance-Related Attacks
Researchers found that almost 17% of the emails identified as malicious were related to a financial transaction.
Many of these phishing emails may relate to invoices & transactions needed for work. An example of such an attack, for instance, involved invoice-themed emails sent to at least 20,000 mailboxes that pretend to share information about an electronic funds transfer (EFT) payment.
The emails found earlier this month carried a fairly vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” & contain a link to download an “invoice” from the cloud.
Extreme Pressure
These sorts of attacks work because “finance teams are under extreme pressure to process invoices & payments in a timely fashion to keep the business running, especially during month or quarter-end when financial reporting is critical,” stated researchers.
“So, if a user hasn’t heard anything back about the email they reported, they will most likely interact with that message.”
GuLoader Malware
Researchers found that in 2020, the GuLoader dropper rose as one of the top malware delivery mechanisms in email attacks.
The malware, which 1st appeared in the 1st quarter & surged during the 2nd quarter of 2020, is used to deliver remote administration tools, keyloggers, credential stealers & other malware phenotypes.
For instance, one June email campaign was discovered targeting mid-level employees across Austria, Germany & Switzerland with malicious Excel attachments. when opened, & with macros enabled, the Microsoft Excel attachments would then download & execute GuLoader, which in turn would download & execute the Hakbit ransomware.
Useful Tool
The malware’s advanced techniques make it a useful tool for cyber-criminals to use to avoid network- & email-security detections. For example, the malware contains false code instructions designed to defeat analysis tools, & a wide variety of methods to avoid executing in virtual or sandbox environments, stated researchers.
Attackers behind the malware also store their malicious payloads on cloud platforms like Google Drive or Microsoft OneDrive – & since they are legitimate services, they are not frequently blocked.
Weaponised Office Documents
“While GuLoader is an executable, it is normally deployed through weaponised office documents that are built to bypass security controls & download the malware directly from the victim’s computer system,” explained researchers.
“GuLoader’s continued evolution of sophisticated delivery & execution techniques make it increasingly useful in delivering threats.”
https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/
