Search This Blog

Showing posts with label Microsoft 365. Show all posts

Phishing Campaigns Evolving Rapidly; Using Innovative Tactics to Avoid Detection

 

In the past few months, Microsoft Office 365 phishing campaigns have evolved drastically, using innovative tricks like inverted login pages, sub-domains, and pre-detecting sandboxes to evade detection. Some of these notorious but ingenious tricks observed by security researchers are: 

 Detecting Sandboxes 

Microsoft recently discovered a phishing campaign that could avoid automated analysis by detecting security sandboxes (automated analysis). The campaign uses URLs that could spot sandboxes and switch the redirected URL to a legitimate page or website instead of the phishing landing page.

"We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering," said Microsoft. 

"The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc."

This method makes sure that only real people or to say potential victims reach the landing page and not security researchers and automated security scans. Thereby reducing their chance of being blocked. 

These emails are also very well crafted and obscure - another way to dupe email gateways. 

 Inserting Custom Sub-domains 

Another way these attackers have found to make phishing URLs more legitimate is by inserting custom subdomains for each user with their name and their organization's name. 

"This unique subdomain is added to a set of base domains, typically compromised sites," Microsoft explained. 

"Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient." 

"The unique subdomains also mean huge volumes of phishing URLs in this campaign, an attempt at evading detection."

 Inverting Images of Webpages

  This particular campaign uses inverted images (as the landing page) of the webpage they are trying to imitate. The security defenses receive this page thereby escaping detection. 

 The phishing kit reverses the inverted page to look like the original (using Cascading Style Sheets (CSS) ) for the user. 

 Google Ads

 A pretty neat trick used by phishing campaigns is by misusing Google Ads and Google Cloud Services, Microsoft Azure, Microsoft Dynamics, and IBM Cloud to host phishing pages that look legitimate and surpass secure email gateways.

FileWall, a Content Disarm and Reconstruction Solution for Microsoft 365 by Odix

In recent months, there has been an exponential surge in malware attacks. According to the checkpoint, the last quarter itself has seen an increase of 50% in malware attacks. “In the last 3 months, there has been a 50% increase in the daily average of attacks, compared to the first half of 2020. US ransomware and malware attacks doubled (~98% increase) in the last 3 months, making it the #1 most targeted country for ransomware, followed by India, Sri Lanka, Russia, and Turke”, reports checkpoint. 

CSO Online recently published a report and the results are staggering, as per the sample 92% of malware is delivered by email. Another report by Symantec quotes that 48% of malicious email attachments are office files. With these numbers, it is not a question of will you suffer a malware attack rather when you will suffer a malware attack? 

So, ehackingnews did some research into cybersecurity products for email and phishing malware as well as file protection, and one company stood out with their promising technology and competent product- Odix and their patented Content Disarm and Reconstruction (CDR) tech.




Odix- CDR, and FileWall 

Odix, headquartered in Israel with clients from the US, Europe recently tapped into the Indian market. They specialize in anti-malware tools using their patented Content Disarm and Reconstruction (TrueCDR™) technology. What CDR does is it takes your file, removes any malicious harmful content, and provide you with a malware-free clean file instead of detecting attack vectors and malwares because trying to detect and learn every new malware vendor is impossible.

“Everybody is seeing a flood of malware and we see millions of new unique samples every day and the common method to deal with that is detection. You get something and you check it and determine whether it's malicious or not but the amount of new malware that we are seeing in the world every day makes it impossible for detection based solutions to keep up, we see them lagging behind and not being able to detect everything that comes out and the concept behind CDR is a bit different than it’s a detectionless method where the aim is to prevent the attack first and once we keep the attack out after that we go into layers of trying to analyze and disarm any active content that might serve as a vector to deliver malware and malicious playloads and by doing that you can provide a safe copy to the user without burning yourself to detect any new thing that comes out” said Mr.Omri, CTO at Odix in conversation with ehackingnews. 

“Normally CDR was something only large corporation was thinking about it because it requires a lot of effort, deployment, integration. With FileWall, you got the affordable service – a dollar per user per month, unseen in case of CDR and a game-changer,” says Ms.Revital, CMO Odix.  

Now, what differentiates FileWall and Odix’s CDR from other CDR providers is their efficiency and focus on particular file types that come in and go via mails in FileWall and hence their analysis of these particular files is very advanced and efficient. Odix is constantly working to add more filetypes in their operations and although it’s strictly file-based protection, they are working towards providing a third-party Url solution and Url re-writing for false links in the file. As CTO Mr.Omri says, “We used to look at CDR as a solution and preventive measure while now we’re starting to look at CDR as a vehicle that knows how to dive into files and so to partner with different players with security space” to give a more secure and encompassing solution. 

One thing to CDR is, although it’s exceedingly competent with database files, when it comes to executable files, “modifying them breaks them” and it’s better to have CDR plugins and FileWall as an additional layer of security for your files; also such files would already be scanned in Microsoft’s ATP (Advance Threat Protection). 

 Standing at 1 dollar per user per month, Odix’s FileWall with CDR technology is a promising file security solution for Microsoft 365 users.

Microsoft 365 Services Restored After Hours Long Outage


Recently Microsoft was hit with a massive global outage that interrupted users’ access to multiple services including Outlook.com, Office 365, Teams, Exchange, Azure, OneDrive Dynamics 365, SharePoint, amid other cloud-based services.

As per the Azure status history page, the users who were trying to access any of Microsoft’s services encountered issues with logging in and server connection as the downtime started around 21:25 UTC on Monday.


The service interruptions had a rather short lifetime, lasting for several hours before Microsoft technicians fixed the issue and successfully rolled back their systems on Tuesday.

In current times of global pandemic wherein physical access for people is restricted all over the world, the outage of online services has proven to be even more disruptive as the number of people relying on it for work and studies has sprung up by a remarkable margin. As classrooms moved online, students and educational institutions are heavily dependent on services offered by Microsoft and Google, primarily.

Giving insights on the matter, Microsoft said “Users who were not already authenticated to the cloud services using Azure AD would have seen multiple authentication request failures. The impact was primarily in the Americas based on the issue being exacerbated by load, but users in other regions may also have experienced some impact. Users that had previously authenticated prior to the issue may not have experienced any noticeable effect.”

Acknowledging the issue, Microsoft 365 Status said in a tweet, “we’ve received reports of users experiencing issues accessing their Exchange Online accounts via Outlook on the Web. Our initial investigation indicates that India-based users are primarily impacted audience. Further details can be found in your admin center under EX223208.”

“We took corrective actions to mitigate the impact to Exchange ActiveSync and have confirmed that service has been restored after users force a sync on their impacted devices. More information can be found under EX223053 in the admin portal.” Microsoft 365 Status said in another tweet.

The issues affecting Microsoft’s online authentication systems have been resolved by the company and the services are restored. Most users reported their system being fully recovered and services functioning normally again.

A Provider of Cyber Security Training Loses 28,000 Items of Personally Identifiable Information (PII) In a Data Breach


A provider of cybersecurity training and certification services, 'The Sans Institute', lost roughly 28,000 items of personally identifiable information (PII) in a data breach that happened after a solitary staff part succumbed to a phishing attack. 

The organization discovered the leak on 6 August 2020, when it was leading a systematic review of its email configuration and rules. 

During this process, its IT group identified a dubious forwarding rule and a malignant Microsoft Office 365 add-in that together had the option to forward 513 emails from a particular individual's account to an unknown external email address before being detected. 

While the majority of these messages were innocuous, however, a number included files that contained information including email addresses, first and last names, work titles, company names and details, addresses, and countries of residence. 

Sans is currently directing a digital forensics investigation headed up by its own cybersecurity instructors and is working both to ensure that no other data was undermined and to recognize areas in which it can harden its systems. 

When the investigation is complete, the organization intends to impart all its findings and learnings to the extensive cybersecurity community. 

Lastly, Point3 Security strategy vice-president, Chloé Messdaghi, says that "Phishers definitely understand the human element, and they work to understand peoples’ pain points and passions to make their emails more compelling. They also know when to send a phishing email to drive immediate responses." 

And hence she concluded by adding that "The final takeaway is that we all need to stay aware and humble – if a phishing attack can snag someone at the Sans Institute, it can happen to any of us who let our guard down."

Microsoft Office 365 Users Targeted By a New Phishing Campaign Using Fake Zoom Notifications



As people across the world struggle to survive the onslaught of the corona pandemic by switching to the work-from-home criteria, the usage and demand of cloud-based communication platform providing users with audio and videoconferencing services have seen a sudden upsurge.

Zoom is one such platform that has from the beginning of 2020 has seen an extremely high increase of new monthly active users after a huge number of employees have adopted remote working.

However recently Microsoft Office 365 users are being targeted by a brand new phishing campaign that utilizes fake Zoom notifications to caution the users who work in corporate environments that their Zoom accounts have been suspended, with the ultimate goal of stealing Office 365 logins.

Reports are as such that those targeted by this campaign are all the more ready to believe in such emails during this time since the number of remote workers participating in daily online meetings through video conferencing platforms, as Zoom has definitely increased because of stay-at-home orders or lockdowns brought about by the pandemic.

 As of now the phishing campaign mimicking automated Zoom account suspension alerts has received by more than 50,000 mailboxes based on details given by researchers as email security company Abnormal Security who recognized these continuous attacks.

The phishing messages spoof an official Zoom email address and are intended to imitate a real automated Zoom notification.

Utilizing a spoofed email address and an email body practically free from any grammar blunders or typos (other than a self-evident 'zoom' rather than 'Zoom account') makes these phishing messages all the more persuading and conceivably more viable.

The utilization of a lively "Happy Zooming!" toward the end of the email could raise a few cautions however, as it doesn't exactly fit with the rest of the message's tone.




As soon as the users click the "Activate Account" button, they are redirected to a fake Microsoft login page through 'an intermediary hijacked site'.

On the phishing landing page, they are asked to include their Outlook credentials in a form intended to exfiltrate their account subtleties to attacked controlled servers.

On the off chance that they succumb to the attackers' tricks, the victims' Microsoft credentials will be utilized to assume full control for their accounts and all their data will be ready for the picking, later to be utilized as a part of identity theft and fraud schemes like the Business Email Compromise (BEC) attacks.

Despite the fact that the US Federal Bureau of Investigation (FBI) had warned of BEC abusing popular cloud email services, like Microsoft Office 365 and Google G Suite through Private Industry Notifications issued in March and in April.

Even after this, Office 365 users are continuously targeted by phishing campaigns with the ultimate objective of reaping their credentials.

Regardless Microsoft has warned of phishers' ongoing movement to new types of phishing strategies, like consent phishing, other than conventional email phishing and credential theft attacks.

Microsoft Partner Group PM Manager Agnieszka Girling says, "While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services,"

The company additionally has made a legal move to destroy some portion of the attack infrastructure used to host malignant 365 OAuth apps utilized in consent phishing to seize victims' Office 365 accounts.

Phishing Attacks Can Now Dodge Microsoft 365's Multi-Factor Authentication


Of late a phishing attack was found to be stealing confidential user data that was stored on the cloud.
As per sources, this is the work of a new phishing campaign that dodges the Office 365 Multi-Factor Authentication (MFA) to acquire the target’s cloud-stored data and uses it as bait to extract a ransom in Bitcoin.

Per reports, researchers discovered that the campaign influences the “OAuth2 framework and OpenID Connect (OIDC) protocol”. It employs a malicious “SharePoint” link to fool the targets into giving permission to “rogue” applications.

MFAs are used as a plan B in cases where the users’ passwords have been discovered. This phishing attack is different because it tries to fool its targets into helping the mal-actors dodge the MFA by giving permissions.

This campaign is not just about gaining ransoms via exploiting the stolen data it is that and the additional threat of having sensitive and personal information at large for others to exploit as well. Extortion and blackmail are among the first things that the data could be misused for.

Sources mentioned that via obtaining basic emails and information from the target’s device, the attacker could easily design “hyper-realistic Reply-Chain phishing emails.”

The phishing campaign employs a commonplace invite for a SharePoint file, which happens to be providing information regarding a “salary bonus”, which is good enough for perfunctory readers to get trapped, mention reports.

The link when clicked on redirects the target to an authentic login page of Microsoft Office 365. But if looked on closely, the URL looks fishy and created without much attention to detail, thus say the security experts.

Reportedly, access to Office 365 is acquired by getting a token from the Microsoft Identity Platform and then through Microsoft Graph authorizations. OIDC is used to check on the user granting the access if authentication comes through then the OAuth2 grants access for the application. During the process, the credentials aren’t revealed to the application.

The URL contains “key parameters” that explain how targets could be tricked into granting permissions to rogue applications on their account. Key parameters signify the kind of access that is being demanded by the Microsoft Identity Platform. In the above-mentioned attack, the request included the ID token and authentication code, mentioned sources.

If the target signs in on the SharePoint link that was delivered via the email they’ll be providing the above-mentioned permissions. If the target doesn’t do so, it will be the job of the domain administrators to handle any dubious activities.

This phishing campaign is just an example of how these attack mechanisms have evolved over the years, to such an extent that they could now try to extort sensitive data out of people seemingly by tricking them into providing permissions without an inkling of an idea of what is actually up.