DERBYCON - Earlier this month, Salted Hash deconstructed a phishing email that had bypassed company filters and made into the general inbox.
The email focused on an outdated company subdivision, and was easily spotted as a scam. However, we've since learned the message itself could be part of a larger campaign that has been targeting Office 365 customers since at least June.
This wasn't a random phishing attack:
On September 7, Salted Hash received a generic looking email warning that our account was almost over quota and these alleged space limitations were responsible for a delay in email delivery. In order to address this problem, the message said to open an attached HTML file and follow instructions. The email was clearly a scam, and the reasoning we used to flag the message as such is explained in our original story.
Shortly after publishing a breakdown of the September 7 message, we were contacted by a source who said the issue was much larger than a basic one-off attempt at harvesting credentials as we had reported.
As it turns out, Salted Hash was just one potential victim in a larger campaign of Phishing attacks targeting government agencies, industrial organizations, financial firms, universities, and more.
Chained phishing:
Researchers from Fujitsu, while working a case, discovered a pattern in these attacks.
Since June, at least 30,000 Office 365 Phishing emails have fit the description of a sustained chain attack against Office 365 customers, but that number is based on just a few investigations, Fujitsu said.
The chained phishing campaign starts by sending emails in an attempt to collect usernames and passwords for Office 365 accounts. Once the victim compromises their credentials, the attackers then target that victim's address book - often filled with a mix of business and personal contacts.
The second stage of the attack attempts to leverage the first victim's existing relationships as an ice breaker, often using informal easily subject lines such as "FYI" in order to get the new victim to take an action.
The cycle is repeated as often as possible, with new victims keeping things going. After time, the harvested credentials are then used to compromise anything the victim has access to. Considering most organizations leverage Office 365 credentials for Exchange, One Drive, Skype, and SharePoint, and Office Store apps, the damage potential is serious.
In attacks such as these, a victim is likely to click on a message from someone they have an association with. So by abusing the existing trust relationships between vendors and acquaintances, the attackers have a wider pool of potential victims that will offer little push back.
In the event someone contacts the sender for verification, those responsible for the chained Phishing attacks are using the victim's Skype account to further legitimize the scam.
Campaign phishing lures:
The lures in these campaigns hinge on a few themes. The first, similar to the one Salted Hash received, warns of low storage space. Another email plays on the storage theme and asks that a user activate "Quota" to address the issue. In both instances, the victim is prompted to enter their Office 365 credentials.
There have also been reports of emails asking to review a document from DocuSign. If the review link is clicked, the victim sees a prompt for credentials. Other technology themes include account suspensions, server upgrades, and security updates.
In June, Kansas State [1] issued a warning about Office 365 "storage" scams; followed by two warnings in July from the University of Pittsburgh [2] [3].
Earlier this month, a warning list of scam emails at South Dakota State University [4] listed another example of a Office 365 phishing attack; sent on the same day and from the same account as the one delivered to Salted Hash.
After the initial phishing attack though, the campaign shifts and starts using somewhat informal tones. As mentioned, "FYI" is one such subject line, but others include "Approved Invoice" or "Fw: Payments" as a means to get attention. Moreover, compromised Office 365 accounts have been used to email internal business contacts the same "Quota" message.
Conducting an Office 365 phishing campaign:
The emails all tend to run with a basic template that uses key elements of data from a victim's address book or the intended victim's domain. If the victim falls for the scam, they're delivered to a landing page (where the Office 365 credentials are harvested) by a few methods.
Some will see the landing page by opening an HTML attachment and being forwarded; or they'll click a direct link.
After looking at a few recent examples, Salted Hash determined the landing pages themselves are designed using Knockout.js, an open source JavaScript template system that works on any browser, even obsolete ones.
Given the code examples observed, it looks as if Knockout is being used to replicate the Office 365 login portal most people are familiar with. Once a victim's credentials are harvested by the scammers, they're passed on to the legitimate Microsoft login page.
Note: For those who need it, page two of this article contains a number of indicators of compromise, including domains, subject lines, and IP addresses.
Office 365 is a hot target for phishing:
Given its reach, targeting Office 365 is going to be the norm - not the exception – if recent patterns are any indication.
Troy Gill, manager of security research at AppRiver said that over the last six months or so, his company has seen lots of Phishing scams targeting Office 365. So far in 2017, AppRiver has seen – conservatively – more than 100 million emails sent that are targeting Office 365 users.
"I can say comfortably that we have seen an increase of at least 1000 percent since this time last year with many of these campaigns spewing many millions of messages in a single day," Gill said.
Prevention and mitigation:
Depending on the job, most people are chained to their email. However, awareness training often has a sort of "stranger danger" mentality – and skips over what to do when a known contact sends a message or an attacker controls verification channels.
Journalism, office administration, legal, marketing, sales, human resources, etc. all have a higher risk when it comes to Phishing because they have access and a position requiring they do the exact thing most awareness training discourages – click links, talk to strangers, and open attachments.
That's why phishing is so effective. The attacks observed by Barracuda, Fujitsu, even the one that found its way to Salted Hash all attempt to leverage an existing level of trust and familiarity, and abuse normal workflows.
While there are technical controls to help fight Phishing, such as domain monitoring (to catch knock-off URLs, typo squatting, etc.) or email filtering, the problem is still a human one.
If those controls don't stop the email from getting to a person's inbox, the potential victim has now become the last line of defense.
At that point, multi-factor authentication would certainly boost defenses. Microsoft has encouraged multi-factor authentication for Office 365 users - especially those in a corporate setting - for some time now.
But there's something to be said about including common workflows and office patterns into awareness training itself. For the team at Salted Hash, this type of training led to the September 7 email being spotted as a scam almost immediately by each of us who received it.
By tuning awareness training to match the normal, common workflows of the organization, it's possible to get a boost from the users who will know when something just "doesn't feel right" and likely report it.
They key though, is communication, and stressing the point that unintentional false reports, or falling victim to a scam will not result in punishment, while rewarding successes.
Office 365 phishing: Attack indicators and additional details
After dealing with our own phishing email, Salted Hash tracked down other related attempts. Based on our hunting, the emails from earlier this month tend to use .kz domains (Kazakhstan), and generally follow a basic format for URI:
/wp-content/languages/themes/hash/
/wp-content/plugins/hash/
/wp-includes/css/hash/
cmd=login_submit&id=
cmd-login=
An example of one attack is available on urlscan.io, but it isn't clear if the address recorded was a victim or a target, given that admins often use the URLScan.io service to investigate suspicious or reported links.
We asked Fujitsu if they could share any additional indicators and they shared the following:
IPs Observed logging into compromised Office 365 accounts:
169.159.73.9641.190.2.4105.112.41.23541.190.2.166129.56.10.37129.56.10.68129.56.10.36129.56.10.100169.159.82.162129.56.10.11641.58.96.135169.159.94.72105.112.34.110154.118.29.248185.84.181.81105.112.45.96
Email subject for initial contact:
Support TeamQuota TeamData Support TeamActivate QuotaSupport Activate QuotaSupport Quota UpgradeSupport Quota
Email subject for second contact, to internal victims post-compromise:
Fw: PaymentsOrder ReviewApproved InvoiceStatemens/InvoicesFYI
Domains used as landing pages:
hxxp://zagubieniwrzymie[.]com/invoice/hxxp://maycla[.]cl/sdf/hxxps://greenhilltour[.]com/sdfhxxps://onclesam[.]com/sdfhxxps://reyesmorenos.cl/sdf/?email=[recipient]hxxps://econit.cl/sdf/?email=[recipient]hxxp://www[.]litografiasgaudi[.]com/adminfile[.]php
When asked, Lior Gavish, VP Engineering, Content Security Services at Barracuda, also shared a large list of domains connected to Office 365 Phishing attempts.
Barracuda has been tracking Office 365 Phishing campaigns as well, and first reported on them back in August.