Over the last few months organizations using Office 365 are being attacked using a sneaky phishing campaign that is using a variety of different tactics to trick recipients and email security measures.

The focus of this campaign is to get recipients to unwittingly share Office 365 credentials that can be used to commit further email fraud. 

The campaign begins with phishing emails being shared from email addresses that appear to be authentic. This is accomplished as spoofed display names are being included to make the sender appear genuine. The campaign concentrates on specific groups and includes believable usernames and domains for sender display names linked to the target and the messages also incorporate authentic logos for the targeted company and Microsoft branding.

Additionally the messages feature believable Microsoft SharePoint lures to fool recipients into clicking on an embedded hyperlink that will take them to the phishing URL. Those who receive the email messages are advised that a co-worker has shared a file-share request that they may have missed, along with a link that will take the recipient to a web portal hosting a fake Microsoft Office 365 login form.

To get recipients to click on the URL, the emails say that the shared file includes information in relation to bonuses, staff reports, or price books. The phishing emails incorporate two different URLs with malformed HTTP headers. The main phishing URL is for a Google storage resource which points to an AppSpot domain. If the user  completes the signs-in process, they are brought to a Google User Content domain with an Office 365 phishing page. The second URL is embedded in the notification settings and brings users to a compromised SharePoint site, which again requires the user to sign in to get to the final page.

To trick email security solutions, the messages employ extensive obfuscation and encryption for file types often connected with malicious messages, such as JavaScript, along with multi-layer obfuscation in HTML. The threat actors have employed old and unusual encryption tactics, including the use of morse code to mask segments of the HTML deployed in the attack. A variety of the code segments used in the attacks are found in several open directories and are called by encoded scripts. Microsoft cybersecurity specialists found, and tracked, the campaign and compared it to a jigsaw puzzle, where all the pieces look normal on their own and only become dangerous when they are correctly pieced together.

This campaign is very dangerous, with the threat actor having gone to great trouble to mask their true intentions in order to get end users to hand over their credentials. 

Should you be worried in relation to your cybersecurity measures and wish to tackle attacks like this, contact the TitanHQ team now to find out more in relation to security solutions that can be easily put in place to prevent phishing and other email threats to enhance your security suite.