The lockdown put in place as a result of COVID-19 has forced employees to leave the office and work from home, with contact taking place over communications solutions such as Skype, Slack, and Zoom. Unsurprisingly the huge increase in use of these platforms has led to an opportunity for cybercriminals, who are using fake alerts from these and other communication and teleconferencing platforms as lures in phishing campaigns on remote workers.
Many campaigns have been discovered that take advantage of the popularity of these platforms. One campaign has recently been discovered that uses Skype branding advising users that they have pending alerts. The emails are personalized and include the Skype username and feature a review button for users to click to review their alerts. These emails look extremely like the actual emails sent to users by Skype. The emails also appear, at first glance, to have been sent from an authentic email address.
The link given in the email takes the recipient to a hxxps website that has Skype in the domain name. Since the connection between the browser and the website is encrypted, it will show the green padlock to show that the connection is safe, as is the case on the genuine Skype domain. The webpage includes Skype branding and the logo of the company being targeted and says that the webpage has been set up for authorized use by employees of the business. The username of the victim is automatically added to the login page, so all that is needed is for a password to be entered.
This campaign was first noticed by Cofense, which received many reports from business users about the emails, which bypassed Microsoft Exchange Online Protection (EOP) and were delivered to Office 365 inboxes.
A Zoom campaign has also been discovered that uses similar tactics. Zoom is one of the most popular lockdown teleconferencing apps and has been recommended by many companies for use by employees to maintain contact during the lockdown. The platform has also been very popular with consumers and now has more than 300 million users.
In this campaign, Zoom meeting alerts are sent to targets. As is common with phishing campaigns, the hackers generate fear and urgency to get the targets to respond quickly without reviewing the messages. This campaign advises the recipients to login to a meeting with their HR department in relation to their job termination. Clicking the link will similarly bring users to a fake login page where they must enter their credentials. The landing page is a virtual carbon copy of the official Zoom login page, although the only parts of the page that work are the username and password fields. This campaign was discovered by Abnormal Security, which reports that around 50,000 of these messages were sent to Office 365 accounts and bypassed EOP.
The phishing emails are believable, the webpages that users are brought to look genuine, and many people will be tricked by the emails. Security awareness training will help to train employees to question emails such as these, but given the amount of messages that are bypassing Microsoft’s EOP, businesses should also think about adding an additional layer of email security to their Office 365 accounts.
This is an area where TitanHQ can be of assistance SpamTitan Cloud does not replace EOP for Office 365, it allows businesses to take advantage of an extra layer of protection on top to provide extra protection from zero-day attacks. SpamTitan Cloud prevents spam, phishing, and malware laced emails that would otherwise be sent to Office 365 inboxes.
SpamTitan Cloud is quick and simple to set up and you can safeguard your Office 365 accounts very quickly. Since the solution is available on a free trial, you will be able to consider the difference it makes and see how many malicious messages it blocks before committing to buying it.
To find out more about improving your phishing defenses, give the TitanHQ team a call now.