Scammers sent follow-up emails in Office 365 phishing campaign

As previously reported on Salted Hash, a recent phishing email looking to harvest credentials was actually part of an ongoing phishing campaign targeting Office 365 customers.

The campaign has been going on since late 2016, and is responsible for at least 30,000 attempts since June based on a small number of active investigations.

Our last story on the topic revealed several indicators, including an extensive list of domains and IP addresses that were shared by Fujitsu and Barracuda. Today, we’re following up on that with some additional details, thanks to some readers who are dealing with these attacks themselves.

Follow-up phishing attempts:

Two weeks after the first email was sent to Salted Hash, the scammers sent a follow-up message informing us:

"This is the second mail we have send you, We recommend you update your mailbox now. (sic)"

The message construction was similar to the previous phishing attempt, down to the same mock-up Office 365 login portal, and a basic script designed to harvest credentials.

However, this follow-up message came from a different company (another victim), and used a different compromised WordPress install as the landing page.

Moreover, the message included some interesting wording in the email footer:

"The recipient should check this email and any attachments for the presence of viruses. [VICTIM COMPANY] accepts no liability for any damage caused by any virus transmitted by this email."

A third email arrived on September 27, two days after the follow-up. However, this one wasn’t attempting to upgrade our mail storage.

Instead, the context changed to purchase orders, and if the attached file is opened in a browser (it’s a *.order file) the HTML will forward the victim to a landing page that attempts to mimic an Excel document requiring credentials to access.

This third message came from a legitimate company in Brazil. The landing page is hosted an outdated WordPress install used for a porn website in Spain.

More indicators & additional details:

Two readers approached Salted Hash shortly after our last story was published in order to share additional information and insight, as they too are seeing these campaigns.

One wished to remain anonymous, but said that the actors are setting up inbox rules in order to delete NDRs or Non-Delivery Reports. The rules also delete the email subjects being sent from the compromised account, and move all new mail responses to the phishing campaign to Notes.

Our second source, Frank McGovern, a security engineer, confirmed the email rules observation, and noted that administrators needed to check and see if forwarding has been enabled on the compromised accounts in the Office 365 portal.

“We’ve mitigated forwarding and inbox rule forwarding by blocking internal emails from forwarding to external emails via Exchange admin center mail flow rules for Office 365,” McGovern said.

Both explained that one of the biggest problems they’re having is that the phishing attacks are coming from legitimate companies that have fallen victim to the scam, so it’s harder to block. However, so far neither one has observed anything other than logins once accounts have been compromised, but they fear it is only a matter of time.

The two of them also shared additional indicators, which we’ve posted below.

A recent PhishLabs report says that phishing against SaaS platforms (which would include O365) increased in Q2 2017 by 104-percent, doubling the total volume observed in all of 2016 – adding more confirmation to the figure reported by AppRiver, who has seen more than 100 million Office 365 phishing emails so far this year.

Salted Hash will keep following the Office 365 phishing trend, and report new information as it becomes available.

Indicators:

104.153.108.117 105.112.35.44 108.76.244.215 148.252.129.189 154.118.16.182 154.118.25.41 154.120.104.135 154.120.79.250 154.66.22.172 154.66.28.224 155.94.242.3 160.152.34.154 160.152.8.247 169.159.101.158 169.159.90.32 173.245.203.198 185.30.176.237 185.30.177.91 185.59.223.172 207.244.100.147 207.244.100.148 212.100.76.165 212.100.76.59 212.100.77.38 23.19.43.212 23.246.192.51 41.190.3.244 41.190.30.224 41.190.30.73 41.190.31.163 41.190.31.221 41.242.172.128 41.58.91.195 5.62.59.62 50.23.71.59 64.145.79.49 81.171.110.76 85.17.82.165

Dating back to August 1, these IPs were observed logging into accounts that were malicious:

104.237.128.125 - Linode 129.56.10.138 - Nigeria 162.243.16.118 - DigitalOcean 167.160.113.39 - Contina 174.24.108.45 - Qwest 184.75.213.191 - eSecureData 197.210.24.210 - Nigeria 198.11.221.130 - SurfEasy Inc. 199.58.164.137 - Fast Serv Networks 204.152.203.153 - QuadraNet 204.52.135.119 - SurfEasy Inc. 216.169.110.196 - Essential Services 216.172.134.148 - EGIHosting 23.235.227.108 - Secured Servers LLC 23.250.120.229 - B2 Net Solutions Inc. 24.14.26.226 - Comcast 41.86.234.159 - Africa 64.64.117.77 - LogicWeb Express VPN 67.231.16.205 - Idigital Internet Inc. 69.4.88.173 - Nigeria 70.32.35.147 - Nobis Technology Group 71.19.250.119 - Amanah Tech Inc. 96.47.226.19 - QuadraNet