Microsoft through the court seized control over six domains that were involved in various phishing operations directed against Office 365 users. Fraudsters have been active since December 2019 and have recently been actively exploiting pandemic and COVID-19 themes.
Phishers sent emails to companies that hosted mail servers and corporate infrastructure in the Microsoft Office 365 cloud. The emails were written as if they were written by a colleague or a trusted business partner of the victim.
It is noted that this campaign was very unusual, since the attackers did not redirect users to phishing sites that mimic the login page in Office 365. Instead, hackers used an Office document. When users tried to open this file, a redirect was triggered to install a malicious third-party Office 365 application created by cybercriminals.
If a user fell for the scammers and installed the application, hackers got full access to their Office 365 account, settings, files, email content, contact lists, notes, and so on.
Microsoft writes that thanks to this application, hackers got full access to user accounts, and without password theft, because instead the attackers had an OAuth2 token.
Unfortunately, for a number of reasons, this fraud has been very successful. The fact is that the malicious application looked like an official and real one, as if it had really been developed by Microsoft. In addition, the Office 365 environment is modular, and users are used to installing applications on a regular basis. Moreover, a link to install a malicious application first led users to the official Microsoft login page. Only after successful authentication did the attackers engage in a tricky trick and redirect victims to download a malicious application, creating the impression that the victims were using legitimate software verified by Microsoft.
Researchers believe that at least two people were behind this campaign. At first, phishers exploited topics related to business, but soon after the pandemic began, they turned to bait letters, supposedly containing documents on the coronavirus.
Even worse, according to Microsoft corporate vice president Tom Burt, third-party malware could be used to analyze the internal infrastructure of the victims, and then the attackers used the information collected in this way for BEC attacks (Bussiness Email Compromise).
Typically, a BEC scam involves compromising the legitimate email account of one of the company's employees. After that, the attackers use this account to send fake letters to employees of the same company or its partners, and use social engineering to convince them to transfer funds to false accounts, hiding behind false invoices and fictitious transactions. Let me remind you that in a similar way the attackers deceived Google and Facebook by more than $ 100 million, and there are also cases when deepfakes’ were used to simulate CEO’s voice.