Published: March 12, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
Detecting phishing is getting harder and harder as the days go by. Merely looking out for misspelled words, bad grammar, or unknown senders just isn’t enough anymore. A popular way the phishers lure unsuspecting victims is using well-known business names and/or products and Microsoft Office 365 has been a popular one of late. As if they weren’t hard enough to find anyway, Microsoft has recently warned of yet another one that is craftier at bypassing anti-phishing filters and succeeding at capturing user login credentials.
In a Twitter post, Microsoft Security Intelligence warned that an “active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters.” The group goes on to explain that original sender messages contain sender names that mimic various permutations of the word “referral” as well as top-level domains that are common in phishing campaigns, for spoofing, and for typosquatting.
At a more granular level, the emails use SharePoint in the display name and in the message and can pose as a file share request for “Staff Reports,” for “Bonuses,” or “Pricebooks, as well as a variety of other content. Of course, the link to the phishing pages are included, for “convenience.” It’s sneakier than normal, per Microsoft, because it uses “legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages.”
For those who maintain and administer the Microsoft 365 products for the organization, Microsoft recommends using a specially crafted “hunting query” that will help prevent these from slipping past gateways. It’s advised to check out the Microsoft website for specifics and be sure to read any advisories that come your way. In addition, Microsoft has published more information on GitHub.
For the users, always watch for phishing lures like this, especially for Office 365. It’s becoming a top piece of bait for phishers because they know it’s a popular product in the corporate world. Of course, watch for the typical signs, such as poor grammar, a sense of urgency about something, or an unfamiliar sender name, but also question the product if the login process seems out of the normal routine. For example, if you don’t have to login every day, but suddenly you do, take a closer look at the URL before entering credentials. It could be redirecting you somewhere you really don’t want to go.
Phishing and the related business email compromise (BEC) attacks resulting from it, causes the business world, and others, a lot of grief and a lot of money. In fact, the FBI has found it cost Americans more than $4.2 billion in 2020.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org