Microsoft Office 365 customers are the target of a phishing campaign that uses it as bait emails, which appear as notifications that are supposedly sent by their company, urging them to update the configuration VPN used to access corporate data during remote work. The phishing emails that appear as requests to update the VPN configuration, which are supposed to be sent by their company's IT support department, have so far reached the incoming messages of up to 15.000 targets, according to company researchers. security email Abnormal Security. These phishing emails are much more dangerous due to the large percentage of employees who work remotely and use VPN to connect to corporate resources from home, to share documents with their colleagues as well as to access corporate servers.
More specifically, intruders forge the sender's email address in phishing emails to match it with domains of their corporate goals and integrate hyperlinks that instead of directing recipients to new VPN configurations, send them to phishing sites designed to steal credentials they have in Office 365. H Abnormal Security stated that various forms of this attack have been observed in many customers, from different sender phishing emails and from different IP addresses. However, the same link was used in all attacks payload, indicating that they were sent by a single phishing control intruder website. These attacks could be very successful in deceiving potential victims, as many recipients may click and log into their Office 365 accounts to avoid losing remote access to the company's servers and files. The page to which candidates are directed is a "cloned" Office 365 login page hosted on Microsoft's web.core.windows.net domain, abusing Azure Blob Storage and accompanied by a valid Microsoft certificate, making it very more difficult to detect phishing attempt. The abuse of the Azure Blob Storage platform to target Office 365 users is the perfect deception, seeing that the destination pages will automatically receive their own secure page lock due to the SSL wildcard * .web.core.windows.net certificate.
Azure Blob Storage subdomains used in phishing pages are a well-known and very effective tactic that has been mentioned in the past. These phishing attacks can be easily tweaked by setting custom Office 365 blocking rules to take advantage of Office 365 ATP's secure links to automatically turn off anything malicious. If you do not set exclusion rules, the only way to make sure that intruders do not try to steal your credentials while entering them in an Office 365 login form is to remember that the official login pages are hosted by Microsoft at microsoft.com, live .com and outlook.com domains. Finally, last month, Abnormal Security researchers discovered another extremely convincing phishing campaign based on Office 365 that used "cloned" images from automated alerts. Microsoft Teams trying to steal credentials from nearly 50.000 users.