EXECUTIVE SUMMARY:

Executives of financial services and insurance groups are witnessing a barrage of targeted phishing attacks designed to capture sensitive information. Executive assistants and financial departments should also remain alert in light of these threats. Hackers hope to harvest Microsoft Office 365 data and to catalyze more business email compromise (BEC) attacks.

Broadly speaking, the hackers want to win account credentials and email exploitation capabilities. The end goal is to access the organization’s inner core while remaining undetected.

What makes this Office 365 phishing attack so successful? 

A few things. These hackers have patience. They have been observed monitoring new CEOs as they learn a company’s payroll and financial systems. Once this internal education is underway, hackers may send a phishing email that appears as though it’s from the payroll department.

In another version of the campaign, victims receive an inauthentic Office 365 update. In these false updates, the Microsoft domain name is used. “This quick domain registration turnaround is a common tactic employed by scammers hoping to bait as many victims as possible before their newly registered domains are identified as phishing infrastructure,” write security researchers. The updates look legitimate.

Several additional versions of the attack exist. In some phishing emails, hackers rely on lures that talk about system changes or policy updates.

Financial departments are seeing email threats from the same attack group. The attackers appear interested in third-party data that could be used to send illegitimate invoices to suppliers. Hackers will then be able to redirect payments to their own bank accounts. Accounting and payroll employees should monitor systems for emails that could be apart of an Office 365 phishing attack.

Microsoft and phishing?

In 2020, 45% of all email phishing scams contained a Microsoft theme. Office 365 (O365) email accounts remain alluring for criminals, as they contain a wealth of profitable information. Moreover, much of the distributed workforce relies on O365. This means that a comparatively high percentage of employees are likely to fall for these phishing campaigns.

Office 365 phishing attack campaign, still in progress

According to experts, this campaign originally appeared in December of 2020. The breadth and depth of this campaign have made an impression on researchers. “Judging from the size of this campaign, there are certainly many more organizations outside of our scope that have been targeted“.

Avoiding this Office 365 phishing attack

Executives who doubt an email’s origins should confirm the email’s authenticity. Receive a curious looking O365 email? Call the payroll department or the alleged sender and ensure that he or she really did intend to communicate about the topic in question.

Alternatively, executives can refrain from clicking on suspicious email links and can send the email for review by IT experts. Information technology professionals will likely be able to offer insights into whether or not the email is malicious.

Further, IT teams should consider implementing least-privileged access for all Office 365 users. This can prevent or limit lateral movement in the even that a cyber criminal accesses an account.

For more on this Office 365 phishing attack campaign, visit ThreatPost.