Office 365 Phishing Attacks: Educating Our Attackers…
Why are hackers increasing levels of Office 365 phishing attacks? This article will explain some key processes how and why Office 365 phishing attacks are a persistent and ever evolving threat. Additionally, why we may be arming our attackers with the exact same phishing education tools as we provide our own users…
The typical Office 365 phishing attack process may be something like this…
- Spearphish attacker sends a fake O365 email which looks like it came from within your organisation (see spoof)
- The recipient user is invited to click a malicious link or open an attachment which includes a malicious link.
- The recipient will then be presented with a fake Office 365 login web page.
- The user then enters their Office 365 credentials on the fake O365 web page.
- Phish attack is now complete – credentials are sent to the attacker.
- Attacker will now access the users compromised mailbox.
Now that the attacker has access to the compromised users contacts – the attacker can use the compromised account to send spearphish emails to all contacts from a legitimate sender within the organisation.
Why is Office 365 the target?
Office 365 is approaching 160 million subscribed users. Making Office 365 users a target-rich environment for phishing attacks. Office 365 provides many tools and functionality which allows attackers to deploy a plethora or varied phish and spear phishing payloads.
It should come as no surprise that Microsoft Office 365 receives the highest number of direct phishing attacks globally. Office 365 is an exploit honey pot due to the files and sensitive data stored in collaboration tools, and productivity applications such as Sharepoint and OneDrive. It is increasingly important that organisations employ some form of Office 365 email protection
Ponemon Institute reveals, most organizations are not taking sufficient steps to protect sensitive content from accidental exposure or a data breach and that 52% of respondents data is stored in Sharepoint. Several noteworthy findings are:
- 49% had at least one confirmed data breach in the SharePoint environment in the past two years.
- 79% don’t believe existing tools are “very effective” at protecting sensitive content from accidental exposure or a targeted breach.
- 68% don’t have sufficient visibility into locations where sensitive data is located.
- 59% say their organization doesn’t do a good job ensuring SharePoint users interact with confidential or sensitive data appropriately.
View the report: Handle with Care: Protecting Sensitive Data in Microsoft SharePoint, Collaboration Tools and File Share Applications in US, UK and German Organizations
Following our earlier ‘typical process’ of a phishing attack, ‘Stage 2’ is where legitimate Office 365 credentials can be used to conduct spear phishing attacks from within the organization. By impersonating employees attackers are able to acquire more Office 365 credentials and spread across other organizations with the sole purpose of extracting financial payback via wire transfers, gift cards, ransom attacks etc.
Office 365 phishing attacks have taken on new levels of sophistication.
With well educated and trained business users looking out for phishing emails daily due to internal phishing awareness simulation programs (such as Wombat and KnowBe4). Attackers are deploying new tricks to evade capture. These tricks go well beyond building a web page that simply looks like an Office 365 login screen. Phishers take advantage of the Microsoft Azure Binary Large OBject (BLOB) storage as a means to build landing pages with real Microsoft signed SSL certificates and a windows.net domain. With credential stealing pages literally built on the same platform used by the recipient, users become easy prey.
Attackers also have access to the exact same phishing awareness training programs you are using. Are we naive enough to think that attackers do not have the knowledge to access the exact same user phishing awareness services to see where businesses may be falling short?