Home New Microsoft 365 credential harvesting campaign

New Microsoft 365 credential harvesting campaign


Thousands of Microsoft 365 credentials were recently discovered on phishing servers. The credentials were stored in plaintext, making them easily readable. This finding appears to be a part of a larger credential harvesting campaign that targets real estate professionals, whose wire transfers are monetarily valuable.

The attacks showcase the growing, evolving risk that standard username-password combinations present. As phishing attempts continue to evade basic email security, this may prove to be an increasingly unwieldy challenge to contend with.

How it started

Cyber attackers compromised email accounts belonging to employees who worked with two well-known financial services vendors in the real estate space. The attackers then used the accounts to send out phishing emails to realtors, real estate lawyers, title agents, buyers and sellers in the hopes that they would enter credentials into a phony web page.

The emails informed targets that certain documents required review or that new messages were available to them on a hosted and secure server. In both instances, embedded links directed recipients to the fake login pages, requesting for them to sign into Microsoft 365.

Once victims landed on the malicious page, attackers attempted to tease out multiple passwords from victims.

Password theft

After submitting 365 credentials and receiving a user error message, victims were prompted to try again. In such instances, victims typically submitted the same credentials at least one more time, and then tried variations of other passwords that they may have used in the past. In turn, this provided hackers with a gold mine of information to weaponize in brute-force or credential stuffing attacks. The care taken in targeting victims with a well-thought out strategy is one of the most notable aspects of the campaign.

10,000 submission attempts

The exact reach of the campaign remains unknown, but an initial investigation shows that thousands have been phished so far. More than 2,000 unique sets of credentials have been found in more than 10,000 submission attempts (many users provided the same or alternative credentials multiple times).

Security risk

For victims, the level of risk is considered quite high. Real estate-focused transactions are often targeted for sophisticated fraud scams, particularly those involving real estate title companies. It appears that the attackers wish to use the stolen credentials to  intercept/direct/redirect wire transfers associated with real estate transactions.

For more on this story, visit Dark Reading. To receive cutting-edge cyber security news, exclusive interviews, high-minded expert analyses and leading security resources, please sign up for the CyberTalk.org newsletter.