More Phishing Attacks Using Microsoft Office 365 For Bait
Published: May 11, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
While embroiled in coronavirus news, it's easy to miss other cybersecurity attacks that haven't been sheltering-in-place. Currently happening is another phishing scam and it’s using a popular software to launch its attacks. The email phishing scam uses Microsoft Office 365 to look like legitimate emails sent from system administrators, and it’s working. Email filters can block a phishing attack when a sender’s domain name isn’t recognized, and that stops many hackers from getting through to inboxes. However, this latest Office 365 scam gets around those filters in a very effective way and it greatly increases the efficiency and deliverability of email phishing attacks.
Cybercriminals steal account credentials in many ways, including phishing, password reuse, brute force attacks, and even just by guessing. After all, taking a stab at using one of the topmost used passwords, such as “123456” may just work. When an Office 365 account is hacked, bad actors use the stolen data they’ve acquired to create an email account that for all purposes, looks like the real deal. Although criminals are behind the phishing façade, the emails flow into inboxes without a second look from security software or the recipients.
Legitimacy is the key to this attack working and Office 365 lends its credibility to lure victims into opening and acting on phishing emails. According to a report by Vade Secure, Office 365 phishing attacks are responsible for more than 150 unique URL’s being created each day. Those fake URL’s are duplicates of a legitimate Office 365 URL and are inserted into the emails, usually via a link in the text. They are created for the sole purpose of stealing sensitive data and just one click can mean the beginning of an entire network being compromised. And it’s not just Office 365 that’s plagued by bogus links to phishing URLs. Companies like PayPal and Netflix are also top contenders when it comes to similar attacks.
At the moment, security experts are starting to see variations of the original Office 365 attacks that are improved and more effective. There are security steps a business can take to minimize vulnerability to Office 365 and other phishing attacks.
Employee cyber education tops the list. Staff who are regularly trained to look for phishing red flags, including current trending attacks, can stop an attack before it starts.
Avoid clicking on email links and attachments, even if you trust the sender. It’s always better to type a URL onto a separate browser page. Attachments can be filled with malware so don’t hesitate to verify the sender yourself before opening attachments.
Use strong and unique passwords for each account. Hacker’s love to “credential stuff” passwords, hoping an employee reuses a password for multiple accounts. Password reuse can give a cybercrook access to even more accounts.
Strong email filtering systems are needed to keep phishing out of inboxes and into spam folders where it belongs.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org