Salted Hash Ep 10: Office 365 phishing examples, the bad and the ugly

This week we look at some Office 365 phishing examples and consider why they work, as well as what can be done to defend against them

This week's episode of Salted Hash is a personal one, as we're taking a look at some Office 365 phishing emails that have targeted staffers at CSO Online and CIO.com. The attempts themselves are really low quality, but they work. We've covered this topic a lot this quarter and since we've gotten questions, it's clear some of you want to keep abreast of the situation.

This episode was filmed in late October. Since that time, there have been additional Office 365 phishing attempts, but they have started to slow down. This is a good thing, but it doesn't mean the problem is going away. Instead, it's more likely the unresponsive addresses are being purged as criminals adjust their delivery tactics.

When phishing emails arrive at CSO or CIO, the first thing that stands out is the fact that they're coming from a domain (usually a business) with a good reputation. This helps avoid email filters, and in some cases added legitimacy to the campaign itself. However, most of the attempts seen by Salted Hash center on IT related communications, which is both good and bad.

The good part of that situation is due to how IT takes care of us at IDG. We know what their emails look like, so when someone pretends to be them and capture our credentials, the attempt is likely going to fall flat.

The bad part is the reality that no two IT departments are alike, and organizations do different things for awareness training. Thus, it's possible that these phishing attempts could come off as realistic in some settings.

Another observation centers on the landing page, where the victim is directed after clicking on a link in the email. More often than not, these landing pages exist on websites that have been compromised.

Some of them are abandoned WordPress installations, while others are legitimate businesses running vulnerable scripts or have flawed development. In one case, the email came from the root FQDN (fully qualified domain name) of a server, which housed several compromised websites that were being used for phishing.

While Salted Hash makes efforts to alert victim webhosts and website operators of the problem, by the time those warnings are addressed, the criminals have long since moved on. This is normal, albeit frustrating, as criminals constantly have to move hosts in order to keep the scam going.

In some cases, the criminals leave their phishing kits exposed to the public. When this happens, we're able to see how their attack works and learn more about them.

One of the emails that came to Salted Hash had a link that pointed directly to the phishing kit itself, allowing us to see that the criminal responsible was storing compromised credentials in a Gmail account for later retrieval.

Coincidentally, this kit produced a low-quality phishing attack that goes beyond basic and generic, it's just a countdown clock and form to enter a username and password. The premise is that if you don't enter credentials before the clock expires, you'll have your email account deleted. We watched the clock hit zero, but nothing happened.

We've said it before, but it's worth repeating. Sometimes awareness training programs focus on "stranger danger" and don't really address what happens or could happen when the phishing emails appear to come form within. (The call is coming from inside the house!)

While some of the more recent Office 365 phishing attacks we've seen are overly basic, it's clear even the basic, awful attempts are working. Which is why it's helpful to tune awareness programs so they fit with the company.

For example, make sure employees understand how IT is likely to communicate with them about email problems, and what information might be needed. For example, IT will never need your username and password, and they won't ask for it via a basic form or via email.

It's also important to remember that just because a website uses HTTPS (most users just know this as the padlock, and if you mention SSL or TLS you'll see their eyes glaze over), that doesn't mean it's legitimate. It's too easy to generate a domain validated certificate these days, and criminals are using them in their phishing attempts.

Finally, encourage reporting and stress that falling victim to phishing attacks isn't a career ending situation. Remove the fear. No one is perfect, and those of us who cover this space are keenly aware that we're all on borrowed time, as it's always a matter of 'when' not 'if' for phishing attacks.

Related:
NEW! Download the Fall 2018 issue of Security Smart