Office 365 Phishing Campaign Exploits Servers

Swami Nathan Thu, 07/16/2020 - 14:05

The use of Office 365 in the business sector has grown significantly in the last few years. Its success has attracted the attention of cybercriminals who deliberately conduct phishing campaigns to target the site. As 90 percent of cyber-attacks begin with a phishing campaign, Office 365 is an enticing target for threatening actors seeking to circumvent the continuously implemented security solutions.

Office 365 phishing campaign exposed

An apparently unimaginative Office 365 phishing Campaign recently caught our attention. The attackers exploited a redirection system for the Adobe Project, using a Samsung domain to redirect victims to an Office 365 phishing website on the topic. The hackers benefit from the fact that protection software does not block access to a reputable domain, such as Samsung’s.

The attackers also compromised several websites to insert a script to extend their operation, imitating the same method provided by the Adobe redirection service. More research revealed that the actors behind the campaign introduced a few other fascinating techniques to cover the phishing kit at each point of the attack and avoid detection. This report will summarise what we learned about this Office 365 phishing campaign, which used trusted infrastructure to allow for a new attack.

In the case of leveraging one flaw, neither Adobe nor Samsung is affected. Samsung’s Adobe Campaign server was left open to handle campaigns that did not actually form part of the marketing activities of the organisation.

A redirection function redirects users to a specified destination in the URL they just clicked on. For example, this enables campaign managers to gauge and track ongoing promotional activities by logging in each positive visit before redirecting the user to an ad page.

Oxford's Hijacked E-mail Server

In early April 2020, researchers started to monitor emails sent to victims called “Office 365 Voice Mail” The emails suggested an incoming voice-message was waiting in the voice-portal of a victim, encouraging users to click on a button that allegedly would take them to their Office 365 account for further action. They have been redirected to an Office 365 phishing page masquerading as the Office 365 login page after the victims clicked on the button.

Most of the emails came from multiple generated addresses belonging to legitimate subdomains from various University of Oxford departments. The email headers indicate that the hackers have found a way to exploit one of Oxford’s SMTP (simple mail transfer protocol) servers, an application mainly intended to send, receive, and/or transmit outgoing mail between email senders and receivers. Using legitimate Oxford SMTP servers has allowed hackers to pass the credibility test needed by sender domain security measures

Samsung's Trusted URL redirects

During the past year, phishing campaigns used Google and Adobe open redirects to add credibility to the URLs used in spam emails. An open redirect is a URL on a web site that anybody can use to redirect users to a specific location. In this situation, the links in the email have been redirected to an Adobe server previously used by Samsung during a marketing campaign for Cyber Monday 2018. In other words, the link embedded in the original phishing email is part of the trusted Samsung domain stem-one that unknowingly redirects victims to a hacker-hosted website. Through using the same Adobe Campaign connect format and the legal domain, the attackers improved the email’s chances to circumvent reputation-based email protection solutions, blacklists and URL patterns.

How to protect yourself against Office 365 phishing attacks and other cloud services, Teceze offers three tips:

  1. Use different Cloud application passwords. Segregation protects one ‘s assets when exposed.
  2. Using Protection tools for Cloud and email. The fact that these projects are working means that the solution to native protection is easy to circumvent. Using the protection solutions for cloud and email to remove threats to your email and secure your cloud infrastructure.

Don’t enter your credentials if you weren’t planning to. It’s always fraud in disguise

Conclusion

The attackers in this Office 365 Phishing campaign used multiple mechanisms at each stage to bypass security solutions.

  1. Using an Oxford email server to send spam allows them to circumvent credibility filters on the sender and use email addresses created instead of compromised actual accounts.
  2. Links inside the email point to a reputable Samsung-owned domain.
  3. A series of redirects lead to a phishing website that is absolutely bogged down.

The attackers continuously developed and enhanced the redirection system to be independent of a specific domain and the Adobe Campaign servers during the short campaign period

The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.

Microsoft office 365 phishing campaign exploits Samsung, Adobe, and Oxford University. Mail servers to send the initial email, abused an Adobe Campaign.

Recent Post

Ideas for Buying Computers for Your Business

Aravindhan Mon, 02/07/2022 - 10:10

PCs are now popular. PC sales increased during the epidemic, reaching their highest level since 2014. Over the course of a single year, global revenues climbed by 32%! It's hardly unexpected, given that many organizations needed to purchase computers that improved remote working capabilities. And all the homes that have installed computers for remote study and pleasure.

What is SOC and Benefits of SOC

Aravindhan Pasupathy Thu, 01/27/2022 - 13:02

A Security Operations Center (SOC) is a command center comprised of trained security resources, process, and technology that are constantly monitoring for hostile behaviour while preventing, detecting, and responding to cyber events.

What questions should you ask before signing up for NOC services

Aravindhan Pasupathy Wed, 01/26/2022 - 13:32

Enquire specifically about the location of the NOC. It has been common practise among NOC providers supporting MSPs to hide the fact because the NOC is not located in the same geographic area as their headquarters.

7 Different Types of Cyber Security Threats

Aravindhan Pasupathy Sat, 01/22/2022 - 13:17

When it comes to protecting your organisation against cybercrime and cyber-attacks, it can be tough to know where to start. There's so much information out there that it's easy to get overwhelmed, especially if it's conflicting.

What is NOC and Advantage of NOC Services

Aravindhan Pasupathy Tue, 01/18/2022 - 12:16

A NOC, or network operations centre, is a centralised facility where IT support technicians’ control, monitor, and maintaining customer connections. The overall goal of a NOC is to keep the network going smoothly and without interruptions.