A new credential-stealing phishing campaign has been targeting Microsoft Office 365 and Outlook customers in the US.
According to an analysis by the cloud security company Zscaler, the offensive was launched in May and is specifically targeting organizations in the military, security software, manufacturing supply chain, healthcare and pharmaceutical sectors.
The threat actors behind the offensive use fake voicemail notifications to trick victims into opening a malicious HTML attachment. They spoof the sender’s address making it look like the email message came from an address belonging to the targeted organization. HTML attachments often bypass email gateway filters because these, by their very nature, are not malicious.
When a recipient of the email clicks the attachment, Javascript code redirects the target to a phishing site. The format of the URL is cleverly crafted to make it look as though it is a legitimate subdomain of the target organization.
The user is taken to a CAPTCHA check, which is intended to bypass anti-phishing tools and to make it further legitimate in the eyes of the target.
After passing the CAPTCHA test, the users are taken to a genuine looking phishing page asking them to enter their Office 365 credentials. These credentials are then directly sent to the hackers.
Users careful enough will notice that the login page does not belong to Microsoft but rather uses one of the following domains:
- briccorp[.]com
- bajafulfillrnent[.]com
- bpirninerals[.]com
- lovitafood-tw[.]com
- dorrngroup[.]com
- lacotechs[.]com
- brenthavenhg[.]com
- spasfetech[.]com
- mordematx[.]com
- antarnex[.]com
That’s why it is critically important for users to double check and confirm that they are on a real login page before submitting or even entering their credentials. Typically, users are logged in to their account so the fact that they are asked to sign in again should raise alarms.
If you are unsure of any emails in your inbox including those you received in your Office account, contact Kelly or Carisa at Tech TroubleShooters for advanced email protection consultation.