Scammers sent follow-up emails in Office 365 phishing campaign

Actors, believed to be from Nigeria, are still pushing their BEC agenda

p1240381 11
Martyn Williams

As previously reported on Salted Hash, a recent phishing email looking to harvest credentials was actually part of an ongoing phishing campaign targeting Office 365 customers.

The campaign has been going on since late 2016, and is responsible for at least 30,000 attempts since June based on a small number of active investigations.

Our last story on the topic revealed several indicators, including an extensive list of domains and IP addresses that were shared by Fujitsu and Barracuda. Today, we're following up on that with some additional details, thanks to some readers who are dealing with these attacks themselves.

Follow-up phishing attempts:

Two weeks after the first email was sent to Salted Hash, the scammers sent a follow-up message informing us:

"This is the second mail we have send you, We recommend you update your mailbox now. (sic)"


The message construction was similar to the previous phishing attempt, down to the same mock-up Office 365 login portal, and a basic script designed to harvest credentials.

Office 365 Phishing email (second attack)

However, this follow-up message came from a different company (another victim), and used a different compromised WordPress install as the landing page.

Moreover, the message included some interesting wording in the email footer:

"The recipient should check this email and any attachments for the presence of viruses. [VICTIM COMPANY] accepts no liability for any damage caused by any virus transmitted by this email."


A third email arrived on September 27, two days after the follow-up. However, this one wasn't attempting to upgrade our mail storage.

Landing Page for an Office 365 Phishing attack

Instead, the context changed to purchase orders, and if the attached file is opened in a browser (it's a *.order file) the HTML will forward the victim to a landing page that attempts to mimic an Excel document requiring credentials to access.

This third message came from a legitimate company in Brazil. The landing page is hosted an outdated WordPress install used for a porn website in Spain.

More indicators & additional details:

Two readers approached Salted Hash shortly after our last story was published in order to share additional information and insight, as they too are seeing these campaigns.

One wished to remain anonymous, but said that the actors are setting up inbox rules in order to delete NDRs or Non-Delivery Reports. The rules also delete the email subjects being sent from the compromised account, and move all new mail responses to the phishing campaign to Notes.

Our second source, Frank McGovern, a security engineer, confirmed the email rules observation, and noted that administrators needed to check and see if forwarding has been enabled on the compromised accounts in the Office 365 portal.

"We’ve mitigated forwarding and inbox rule forwarding by blocking internal emails from forwarding to external emails via Exchange admin center mail flow rules for Office 365," McGovern said.

Both explained that one of the biggest problems they're having is that the phishing attacks are coming from legitimate companies that have fallen victim to the scam, so it's harder to block. However, so far neither one has observed anything other than logins once accounts have been compromised, but they fear it is only a matter of time.

The two of them also shared additional indicators, which we've posted below.

A recent PhishLabs report says that phishing against SaaS platforms (which would include O365) increased in Q2 2017 by 104-percent, doubling the total volume observed in all of 2016 - adding more confirmation to the figure reported by AppRiver, who has seen more than 100 million Office 365 phishing emails so far this year.

Salted Hash will keep following the Office 365 phishing trend, and report new information as it becomes available.

Indicators:

104.153.108.117
105.112.35.44
108.76.244.215
148.252.129.189
154.118.16.182
154.118.25.41
154.120.104.135
154.120.79.250
154.66.22.172
154.66.28.224
155.94.242.3
160.152.34.154
160.152.8.247
169.159.101.158
169.159.90.32
173.245.203.198
185.30.176.237
185.30.177.91
185.59.223.172
207.244.100.147
207.244.100.148
212.100.76.165
212.100.76.59
212.100.77.38
23.19.43.212
23.246.192.51
41.190.3.244
41.190.30.224
41.190.30.73
41.190.31.163
41.190.31.221
41.242.172.128
41.58.91.195
5.62.59.62
50.23.71.59
64.145.79.49
81.171.110.76
85.17.82.165

Dating back to August 1, these IPs were observed logging into accounts that were malicious:

104.237.128.125 - Linode
129.56.10.138 - Nigeria
162.243.16.118 - DigitalOcean
167.160.113.39 - Contina
174.24.108.45 - Qwest
184.75.213.191 - eSecureData
197.210.24.210 - Nigeria
198.11.221.130 - SurfEasy Inc.
199.58.164.137 - Fast Serv Networks
204.152.203.153 - QuadraNet
204.52.135.119 - SurfEasy Inc.
216.169.110.196 - Essential Services
216.172.134.148 - EGIHosting
23.235.227.108 - Secured Servers LLC
23.250.120.229 - B2 Net Solutions Inc.
24.14.26.226 - Comcast
41.86.234.159 - Africa
64.64.117.77 - LogicWeb Express VPN
67.231.16.205 - Idigital Internet Inc.
69.4.88.173 - Nigeria
70.32.35.147 - Nobis Technology Group
71.19.250.119 - Amanah Tech Inc.
96.47.226.19 - QuadraNet

NEW! Download the Winter 2018 issue of Security Smart