Office 365 phishing attacks: How hackers get access to your business
With 155 million corporate users, the highly popular Microsoft Office 365 has become a target-rich environment for sophisticated phishing attacks. On top of all the standard phishing and spear phishing threats, Office 365 presents a number of unique attack techniques for hackers looking to compromise the platform.
Microsoft is the number one phished brand for the third straight quarter -- thanks to Office 365. A multisystem platform, Office 365 combines email, file storage, collaboration, and productivity applications, including OneDrive and SharePoint. Together, they represent a honeypot of sensitive data and files that phishers are looking to exploit.
According to a recent Ponemon report, respondents reported that 52 percent of their organization’s sensitive or confidential data is stored in SharePoint. Whether corporate trade secrets or financial information, SharePoint houses business-critical data that, if exposed, could cause irreparable damage.
With a single set of legitimate Office 365 credentials, a phisher can conduct spear phishing attacks from within the organization, impersonating employees in order to extract a financial payback via wire transfers, gift cards, ransoms, and more. Moreover, they’re able to acquire more Office 365 credentials and spread across other organizations.
Why Users Take the Bait
Attackers mimic the protocols and appearance of Office 365 messages and interfaces to trick users into disclosing their login credentials. In some cases, phishers take advantage of the Microsoft Azure Binary Large OBject (BLOB) storage as a means to build landing pages with Microsoft-signed SSL certificates and a windows.net domain. With credential-stealing pages literally built on the same platform used by the recipient, it’s easy to trick users.
Once they’ve gained access to legitimate Microsoft credentials, attackers are able to conduct multiphase attacks from within Office 365. Through internal spear phishing emails, attackers impersonate users and trick employees into releasing wire transfers, sharing employee data, purchasing gift cards, and more.
Sophisticated, innovative, and relentless, attackers use a number of techniques to conduct phishing attacks. Phishing attacks overall are more targeted than in the past, with hackers sending much lower volumes of email (it’s rare for a single attack to target hundreds or thousands of recipients anymore). They’re also more dynamic than ever, with many attacks using a unique sender/IP, URL, and subject line for each message. Below are just a few of the techniques we’ve identified -- and blocked -- on Office 365.
The Voice Message Attack
Outlook for Office 365 indicates you have an email. The subject line reads: "Incoming: You received a voice message from +1 508 *** – 250 seconds." It’s personalized with your first name in the body of the message. Along with the realistic-looking phone number, the email contains a phishing link you can click on to hear your message. Don’t! It’s a trap.
In one example of a voice message attack, the email sender’s name is displayed as "voice-mail service" in Outlook, and the sender’s domain address contains "microsoft.com." This looks like a Microsoft system message, right? It isn’t.
The phishing link could send you to a Microsoft login screen that looks perfectly real, except it’s not. It’s a phishing site designed to steal your Office 365 login credentials.
In an alternative version of this attack, the message ostensibly comes from an address like "firstname.lastname@example.org" The message may include a link to a PDF hosted on compromised SharePoint sites. The PDF takes you to another phishing site.
The "Action Required" Attack
The message arrives with a subject line that says something like, "Action Required: [email_address] information is outdated -- You must revalidate your account." The message includes a link that is generally hosted on a legitimate although hacked website to bypass reputation-based email filtering systems. This is a trick to get you to disclose your Office 365 login credentials. This could be the first step in a multiphase attack, providing the attacker with all they need to begin conducting lateral attacks within your organization using the compromised Office 365 account.
The Shared File Attack
In a shared-file attack, you receive a file-sharing notification in an email message from a common name, such as "John" or "Julie." You know someone named John or Julie, don’t you? You’re then redirected to a fake OneDrive login page where the phisher then harvests your account credentials. You assume you’ve been logged out. The phisher is counting on you to sleepwalk through your use of Office 365. That way, you won’t question what’s happening.
Preventing Office 365 Phishing Attacks
Office 365 phishing attacks slip past many of the standard security countermeasures. Anti-malware software isn’t going to spot them, nor will the built-in signature and reputation-based defenses that Office 365 employs. Two approaches to risk mitigation are working when it comes to Office 365 phishing attacks. One is user awareness training. The more alert and informed your users are, the more likely they will be to spot a phishing attack.
The second is to add an additional security layer that sits natively inside Office 365 through an API to complement Microsoft’s Exchange Online Protection (EOP). A native Office 365 solution leveraging artificial intelligence (AI), including machine learning (ML), uses real-time behavioral analysis to protect from unknown threats, whereas traditional fingerprinting and reputation methods detect only known threats. With this predictive approach, AI-based technologies leverage huge amounts of data to identify abnormal behaviors and inconsistent characteristics in the ways emails are built and sent to identify a potential new threat.
To remain secure, organizations must augment Office 365 security with purpose-built countermeasures while also increasing their employees’ awareness around phishing attacks. Together, people and technology form the ultimate barrier.
As Vade Secure's Chief Solution Architect and CEO of Vade Secure North America, Adrien Gendre owns all aspects of the business that directly impact customer experience. His responsibilities include formulating the company's product strategy and roadmap, overseeing integration with security vendors, and managing the global Solutions Architect, Training, Documentation, and Customer Support Teams.