Microsoft Office 365 customers are the target of a phishing campaign that uses it as bait emails, which appear as notifications that are supposedly sent by their company, urging them to update the configuration VPN used to access corporate data during remote work. The phishing emails that appear as requests to update the VPN configuration, which are supposed to be sent by their company's IT support department, have so far reached the incoming messages of up to 15.000 targets, according to company researchers. security email Abnormal Security. These phishing emails are much more dangerous due to the large percentage of employees who work remotely and use VPN to connect to corporate resources from home, to share documents with their colleagues as well as to access corporate servers.
More specifically, intruders forge the sender's email address in phishing emails to match it with domains of their corporate goals and integrate hyperlinks that instead of directing recipients to new VPN configurations, send them to phishing sites designed to steal credentials they have in Office 365. H Abnormal Security stated that various forms of this attack have been observed in many customers, from different sender phishing emails and from different IP addresses. However, the same link was used in all attacks payload, indicating that they were sent by a single phishing control intruder website. These attacks could be highly successful in deceiving potential victims, as many recipients may click through and log in to their Office 365 accounts to avoid losing remote access to the company's servers and files. The victim victim page is a "cloned" Office 365 login page hosted on the Microsoft-owned web.core.windows.net domain, abusing Azure Blob Storage and accompanied by a valid Microsoft certificate, making it very more difficult to detect phishing attempt. Misusing the Azure Blob Storage platform to target Office 365 users is the perfect scam, seeing that landing pages will automatically receive their own secure page lock due to the SSL wildcard * .web.core.windows.net certificate.
Azure Blob Storage subdomains used in phishing pages are a well-known and very effective tactic that has been mentioned in the past. These phishing attacks can be easily dealt with by setting custom Office 365 blocking rules to take advantage of the Office 365 ATP secure link feature to automatically block anything malicious. If you do not set block rules, the only way to make sure intruders do not try to steal your credentials while entering them into an Office 365 login form is to remember that the official login pages are hosted by Microsoft at microsoft.com, live .com and outlook.com domains. Finally, last month, Abnormal Security researchers discovered another extremely compelling Office 365-based phishing campaign that used "cloned" images from its automated alerts. Microsoft Teams trying to steal credentials from nearly 50.000 users.