What is the threat?
As part of an ongoing phishing campaign abusing Microsoft Azure Blob Storage, attackers are now able to create more legitimate looking phishing emails through Office 365. This tactic allows the attackers to spoof email addresses to have their messages appear as if the target has received a message from themselves. Coupled with the link provided in these emails, the website shown to the user matches the original URL and visuals so closely that it makes this phishing attack very difficult for the user to spot.
Why is this noteworthy?
The domains used in these emails are hosted under Microsoft domains, which means they have a valid SSL certificate and appear to be legitimate websites. Since the websites will display a secure padded lock symbol as well as have a Microsoft domain as part of their URL, it will be very difficult for a user to be able to identify this as a phishing attempt. All of the common indicators of such an attack appear normal. Currently the only way to mitigate against these phishing attacks is to set up rules for Office 365.
What is the exposure or risk?
The potential risk of a successful phishing attempt using this would be the user’s login credentials being exposed. Once the attacker has the credentials, he could setup email forwarding rules, alter account info, and also gain access to other personal and sensitive information from the target’s email and other accounts depending on what services the email is linked to.
What can you do?
SkOUT recommends that customers using Microsoft Office 365 mail services create rules designed to block such phishing attacks regardless of whether they are currently a premium member. The step-by-step process of setting up rules to prevent these phishing attacks is provided in the links in the reference section below. Additionally, we recommend enabling multi-factor authentication so that if a user’s credentials are compromised, their account is still protected by an additional layer of security.
For more in-depth information about the recommendations, please visit the following link:
If you have any questions, please contact our Secure Intelligence Center.