The use of Office 365 in the business sector has grown significantly in the last few years. Its success has attracted the attention of cybercriminals who deliberately conduct phishing campaigns to target the site. As 90 percent of cyber-attacks begin with a phishing campaign, Office 365 is an enticing target for threatening actors seeking to circumvent the continuously implemented security solutions.

Office 365 phishing campaign exposed

An apparently unimaginative Office 365 phishing Campaign recently caught our attention. The attackers exploited a redirection system for the Adobe Project, using a Samsung domain to redirect victims to an Office 365 phishing website on the topic. The hackers benefit from the fact that protection software does not block access to a reputable domain, such as Samsung’s.

The attackers also compromised several websites to insert a script to extend their operation, imitating the same method provided by the Adobe redirection service. More research revealed that the actors behind the campaign introduced a few other fascinating techniques to cover the phishing kit at each point of the attack and avoid detection. This report will summarise what we learned about this Office 365 phishing campaign, which used trusted infrastructure to allow for a new attack.

In the case of leveraging one flaw, neither Adobe nor Samsung is affected. Samsung’s Adobe Campaign server was left open to handle campaigns that did not actually form part of the marketing activities of the organisation.

A redirection function redirects users to a specified destination in the URL they just clicked on. For example, this enables campaign managers to gauge and track ongoing promotional activities by logging in each positive visit before redirecting the user to an ad page.

Oxford's Hijacked E-mail Server

In early April 2020, researchers started to monitor emails sent to victims called “Office 365 Voice Mail” The emails suggested an incoming voice-message was waiting in the voice-portal of a victim, encouraging users to click on a button that allegedly would take them to their Office 365 account for further action. They have been redirected to an Office 365 phishing page masquerading as the Office 365 login page after the victims clicked on the button.

Most of the emails came from multiple generated addresses belonging to legitimate subdomains from various University of Oxford departments. The email headers indicate that the hackers have found a way to exploit one of Oxford’s SMTP (simple mail transfer protocol) servers, an application mainly intended to send, receive, and/or transmit outgoing mail between email senders and receivers. Using legitimate Oxford SMTP servers has allowed hackers to pass the credibility test needed by sender domain security measures

Samsung's Trusted URL redirects

During the past year, phishing campaigns used Google and Adobe open redirects to add credibility to the URLs used in spam emails. An open redirect is a URL on a web site that anybody can use to redirect users to a specific location. In this situation, the links in the email have been redirected to an Adobe server previously used by Samsung during a marketing campaign for Cyber Monday 2018. In other words, the link embedded in the original phishing email is part of the trusted Samsung domain stem-one that unknowingly redirects victims to a hacker-hosted website. Through using the same Adobe Campaign connect format and the legal domain, the attackers improved the email’s chances to circumvent reputation-based email protection solutions, blacklists and URL patterns.

How to protect yourself against Office 365 phishing attacks and other cloud services, Teceze offers three tips:

1. Use different Cloud application passwords. Segregation protects one ‘s assets when exposed.
2. Using Protection tools for Cloud and email. The fact that these projects are working means that the solution to native protection is easy to circumvent. Using the protection solutions for cloud and email to remove threats to your email and secure your cloud infrastructure.

Don’t enter your credentials if you weren’t planning to. It’s always fraud in disguise

Conclusion

The attackers in this Office 365 Phishing campaign used multiple mechanisms at each stage to bypass security solutions.

1. Using an Oxford email server to send spam allows them to circumvent credibility filters on the sender and use email addresses created instead of compromised actual accounts.
2. Links inside the email point to a reputable Samsung-owned domain.
3. A series of redirects lead to a phishing website that is absolutely bogged down.

The attackers continuously developed and enhanced the redirection system to be independent of a specific domain and the Adobe Campaign servers during the short campaign period

The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help.

Microsoft office 365 phishing campaign exploits Samsung, Adobe, and Oxford University. Mail servers to send the initial email, abused an Adobe Campaign.