A new alert from Microsoft of a spate of phishing attacks designed to steal Office 365 user names and credentials via a series of malicious redirects has prompted warnings from across the security community.
First flagged on 26 August, the campaign uses open redirector links, combined with social engineering lures impersonating Office 365, to tempt users to click on a link. This leads to a series of open redirects – which have common legitimate uses, for example to direct customers to a landing page, or track email click rates – to take the victim to a malicious Google ReCAPTCHA verification page, and from there to a fake Office 365 sign-in page, where the unlucky are relieved of their credentials, and then redirected to another fake page, purporting to be Sophos, to add extra legitimacy to the enterprise.
Microsoft also warned that one common method of avoiding clicking on a phish – hovering your cursor over the link to see the full URL – is in this case ineffective, as the malicious actors behind the campaign have set up open redirects using a legitimate service.
Microsoft gave no indication of who might be behind the campaign, or how the compromised data may be being used, but did provide various indicators of compromise (IOCs) and samples of both the malicious Office 365 emails, and malicious domains, to help security teams to be on their guard.
ProPrivacy’s Adam Drapkin said several elements of this campaign should make it particularly concerning, such as the multi-layered redirects and spoof pages designed to reassure victims that they are not doing anything wrong, and the fact that the malicious actors behind it have neutralised one of the most widely known anti-phishing tactics.
“This story illustrates the perpetual arms race between scammers, with their increasingly sophisticated tricks, and consumers, who are becoming more and more educated on phishing techniques,” he said. “This is a prime example of why individuals and businesses need to stay on the front foot with education – what is a good practice today could be a bad practice tomorrow.”
KnowBe4 security awareness advocate Javvad Malik added: “Criminals continue to evolve their techniques and tactics to ensure their phishing campaigns are more successful. Using redirects or hiding behind CAPTCHAs are a good way to bypass link verification checks or other tools. This is why it’s important for organisations to remember that no matter how good a particular technology is today, it won’t necessarily be effective all the time in the face of ever-changing threats.
“So, implementing a robust security awareness and training plan is essential to help users identify and be able to report any suspected phishing emails.”
Sectigo chief compliance officer Tim Callan said the risk from phishing had become particularly acute in the “new normal” of remote or hybrid working.
“Massively distributed workforces and the proliferation of IoT [internet of things] in this Covid-19 world have created lush ground for bad actors to carry out attacks,” he said. “It is imperative that employees understand the basics of digital identity and digital hygiene and are trained to recognise social engineering attempts like phishing.”
But the problem was bigger than just phishing, said Callan. “These attacks shine a light on the zero-trust discourse, and the need for wider-scale usage of strong authentication mechanisms such as client certificates,” he said. “Zero-trust principles must be at the core, so enterprises can trust their own network the same way they trust the hostile public internet – which means with extreme caution.
“The bad guys have multiple ways in, and don’t end there once they have a foothold. With the cloud, hybrid networking and network segmentation, a company’s data is probably crossing more than one hostile network boundary. Strong authentication is a place to start, and digital identities are the new perimeter.”
ProPrivacy’s Drapkin added that one further consequence of this latest campaign may be that Google might act on securing shortened URLs. “A marketing tool they are, but exactly how much abuse of this will Google take before some sort of modification is made?” he said.