The Microsoft security team has issued a warning to Office 365 users and administrators to search for "malicious" phishing emails with spoofed sender addresses.
Microsoft has issued a warning after noticing an active campaign targeting Office 365 organizations with persuasive emails and many techniques to bypass phishing, including an Office 365 phishing page, Google web hosting and a compromised web application. a SharePoint site that encourages victims to enter their credentials.
"An active phishing campaign uses a sly combination of authentic sender's original email addresses, spoofed display sender addresses that contain targeted usernames and domains, and displays names that mimic legal services to try to pass through email filters." said the Microsoft team in an update.
Phishing is still a difficult business issue, requiring ongoing employee training and technical solutions, such as multi-factor authentication on all accounts - something that both Microsoft and CISA strongly recommend.
The phishing group uses Microsoft SharePoint in the displayed name to entice victims to click on the link. The e-mail message appears as a "file sharing" request for access to fake "Staff Reports", "Bonuses", "Price Books" and other content hosted on an alleged Excel spreadsheet. It also contains a link that goes to the "fishing" page and a lot of Microsoft branding.
While compelling Microsoft logos are scattered throughout the email, the main phishing URL is based on a Google storage resource that leads the victim to the "Google App Engine domain AppSpot" - a place to host web applications.
The second URL is embedded in the notification settings which links the victim to a compromised SharePoint site. Both URLs require a link to reach the final page, allowing the attacker to bypass the sandboxes.
This campaign is "more insidious than usual," Microsoft notes.
Microsoft has also posted details on GitHub about the infrastructure associated with fake emails that mimic the SharePoint and other electronic fishing products.
Source of information: zdnet.com