Phishing attack evades Microsoft 365 security

Researchers at email protection company Armorblox have uncovered a targeted email phishing attack designed to get past Microsoft 365 security.

The attack is a variant of 'PerSwaysion', a recent spate of credential phishing attacks that utilize compromised accounts and leverage Microsoft file-sharing services to lull victims into a false sense of security.

A message sent from a compromised vendor account claims to contain important invoice information. The email includes a link to view the invoice, taking readers to a legitimate OneDrive page that is then used to host the final payload, a credential phishing page. The entire flow has been painstakingly built by the perpetrators to resemble real Microsoft web pages.

By using OneNote to host the final OneDrive phishing link the people behind the attack hope to convince victims to hand over their credentials. The attackers also created a new domain for the link in this attack, so it got past any filters that were created to block known bad links. The link in the email led to multiple web pages that were painstakingly made to resemble legitimate Microsoft pages.

Armorblox's senior product marketing manager, Abhishek Iyer, writes on the company's blog, "Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The email was sent from a compromised vendor account and included the vendor's real name in the email title, aiming to induce a sense of familiarity within the recipient. The email starts off with a big green box announcing that a file was ready for the recipient’s review, acting as an effective call to action and increasing the likelihood that targets would click on the link asking them to review the PDF."

You can see more details, including how the attack was detected, on the Armorblox blog.

Image Credit: Maksim Kabakou / Shutterstock