PhishLabs has detected attempts to compromise Microsoft Office 365 administrator accounts as part of a broad phishing campaign. In the campaign, the threat actor(s) delivered a phishing lure that impersonated Microsoft and their Office 365 brand but came from multiple validated domains - an educational institution for example - not belonging to Microsoft. If the victim clicked the link, they were presented with a spoofed login for Office 365.
Screenshot from the detected phishing site.
Threat actors target administrative credentials for several reasons. For starters, Office 365 admins have administrative control over all email accounts on a domain. Depending on the current configuration of the Office 365 instance, a compromised admin account may enable retrieval of user emails, or complete takeover of other email accounts on the domain.
In addition, Office 365 admins often have elevated privileges on other systems within an organization, potentially allowing further compromises to take place via password reset attempts or abusing single-sign-on systems.
Finally, by compromising an admin account, attackers can create new accounts within the organization to abuse single-sign-on systems, or leverage the reputation of the compromised domain in order to send out a new wave of attacks. This particular tactic has been confirmed as an element of the campaign through the use of multiple validated domains sending out phishing lures.
Observed Information on Active Campaign
This type of attack is notable because it is being delivered from a legitimate organization's Office 365 infrastructure. This is beneficial for attackers because many email filtering solutions leverage the reputation of a sender domain as a major component of determining whether to block an email. Well established domains with a track record of sending benign messages are less likely to be quickly blocked by these systems. This increases the deliverability and efficiency of phishing lures.
In this particular instance, the attacker gained some level of administrative control over the sender's Office 365 installation. Once done, they created a new account, which was then used to distribute the campaign. The creation of a separate account to distribute their phishing campaign is another technique used to avoid detection by the compromised organization. By using a created account, the attacker does not need to worry about a legitimate user stumbling upon the malicious activity taking place, either by observing outgoing mail or receiving automated responses from failed delivery attempts.
Industries and Targets Observed
PhishLabs has observed a wide variety of enterprises and industries being targeted by the campaign, so this does not appear to be targeting specific companies or industries.
Handling Related Threats
This particular threat campaign was identified and mitigated with our Email Incident Response (EIR) solution. The email lure was initially initially reported as a suspicious email. EIR automatically analyzed the threat, found all instances of the email lure across our clients, and removed them from user inboxes to prevent exposure to the threat. New emails associated with the campaign are being actively removed by EIR prior to reaching user inboxes.
Observed indicators
The following indicators have been obtained by the detected phishing lures:
Sender
All sender names appear as below, but with different domain variables.
"Services admin center"
Phishing URLs
http://www.clinicaccct[dot]com/srvt/[email protected]
http://www.aranibarcollections[dot]com/srvt/[email protected]
Email Subject Lines Identified
At least two distinct email subjects observed so far:
- Re: Action Required!
- Re: We placed a hold on your account
Additional Resources: