EXECUTIVE SUMMARY:
Although you might take meticulous care to ensure that you avoid malicious URLs, checking links may not suffice in avoiding phishing attacks. Microsoft warns that O365 users should beware of new, email-based, malicious links that collect user credentials and lead to password attacks.
How the password attacks work
The phishing emails in this campaign include multiple links within them. Each link leads to a series of redirects. Eventually, users reach a Google reCAPTCHA page, which reroutes users to a fake O365 login page. Once user credentials are entered, credentials become compromised. Any user credential typed into the fraudulent portal is obtained by hackers.
In this password attack, hackers rely on a marketing tool known as ‘open redirects’. With this resource, hackers continually redirect users from familiar and reputable web pages to malicious domains. Although Google does not regard open redirects for Google URLs as a security hazard, Google does present users with redirect warnings. In turn, people can interpret these notices as signs to take caution.
Why this user credential compromise attack is significant
The theft of any user credentials can potentially harm your enterprise. Phishing attackers are currently distributing this campaign en masse. And, by leveraging trusted domains and redirects, hackers can embed malicious URLs without detection. Security solutions may not pick up on these types of malicious URLs.
These hackers have made a bet that users will hover over links in order to assess their trustworthiness. Once users hover over the links in this campaign, they see that the links look harmless. As a result, employees follow the redirects. As such, the hacker gradually leads users into a cyber trap.
Microsoft’s update on this attack
The software company has shared that more than 350 unique phishing domains have been exploited within this campaign. Hackers tailor subject lines to the nature of the emails. For example, if an email focuses on a Zoom meeting, the subject line corresponds.
Experts have seen phishing attacks that rely on open redirects and spoofed domains before. However, the Google reCAPTCHA element makes this one stand out from the crowd. Because reCAPTCHA typically functions to confirm a user’s legitimacy, and indicates a trustworthy website, victims of this campaign are liable to breeze past it without a second thought.
The worst part of this password attack
Once a user reaches the final malicious link and web portal, upon entering O365 credentials, the person sees a the page refresh or the page suddenly displays an error message. Then, the malicious domain asks victims to retype their credentials. Experts suggest that this tactic enables hackers to ensure that they have correct user credentials for a given person/organization.
After the second round of password typing, the phishing campaign directs users to a legitimate website. An ordinary-looking message pops up. This final layer of the attack continues the ruse, as it tricks users into perceiving a false sense of legitimacy.
Google’s response to open redirect attacks
At present, Google states that open redirects alone do not present a security issue. Some independent cyber security researchers disagree. The company also disputes the notion that hovering over a link represents an effective means of checking its legitimacy. Google says that this is not a useful phishing awareness tip.
In conclusion
This phishing campaign captured experts’ attention due to its use of a wide variety of domains and because of its unique sender infrastructure. Hackers have gone to great lengths in order to evade detection. The high level of investment in terms of time and effort on the part of the hackers indicates that they may expect high rewards; passwords that provide access to email clients, which they can then exploit in ways that prove lucrative.
Protecting enterprises from email threats, and password attacks in particular, is critical. Read about Check Point’s acquisition of cloud email security firm, Avanan. In addition, see past Cyber Talk email security coverage here. Lastly, sign up for Cyber Talk’s newsletter here.
