Sophisticated Microsoft Spoof Targets Financial Departments


Highlights:

  • A large Microsoft 365 spoofing campaign evades Office 365’s native defenses and other email security defenses to target financial departments, C-suite executives and executive assistants across the financial services, insurance and retail industries.
  • Attackers even specifically targeted newly-selected CEOs during critical transitionary periods.
  • The credential harvesting campaigns utilized a variety of sophisticated techniques, including spoofing various Microsoft 365 service updates; using Microsoft-themed sender domains (to bypass email authentication); including PDF/HTM/HTML attachments; and leveraging advanced phishing kits.
  • Although Area 1 blocked these campaigns, had the campaigns been successful, the attackers could have, for example, gained access to sensitive data of third parties to send fraudulent invoices and launch additional Business Email Compromise attacks.

Area 1 Security recently stopped a sophisticated Microsoft Office 365 credential harvesting campaign targeting C-suite executives, high-level assistants, and financial departments across numerous industries, including financial services, insurance, and retail. Further research and analysis of the activity revealed a much larger operation than originally discovered. This included several additional directly-related credential phishing campaigns that targeted the same industries and positions using sophisticated techniques and advanced phishing kits, to bypass Microsoft’s native email defenses and email authentication.

The campaigns, which began in early December and continued through February, targeted only select individuals at each company. Unlike the “spray and pray” method often seen with these types of cybercriminal-driven credential harvesting campaigns, this limited activity suggests a more targeted approach.

A large majority of the phishing attacks stopped by Area 1 Security were headed to financial controllers and treasurers at various international companies. By targeting the financial departments of these companies, the attackers could potentially gain access to sensitive data of third parties through invoices and billing, commonly referred to as a BEC (Business Email Compromise) attack. This enables the attackers to send forged invoices from legitimate email addresses to suppliers, resulting in payments being made to attacker-owned accounts.

Beyond financial departments, the attackers also targeted C-suite and executive assistants. Targeting high-level assistants is an often overlooked method of initial entry, despite these employees having access to highly sensitive information and an overall greater level of privileges.

In a few instances, the attackers even attempted to bait newly-selected CEOs of two major companies before any public announcements of this significant senior executive changeover were made.

By sending phishing messages during this critical transitionary period, the attackers likely hoped to catch the new CEOs off guard while they were focused with managing the new challenges that come with running a business.

What makes these phishing campaigns most noteworthy were the sophisticated methods employed by the threat actors at every step of the attack.

Clever tactics were used to not only craft the phishing messages, but also to send those messages, as well as to obtain passwords. These methods utilized a number of techniques at every step — including legitimate-looking domains and login pages, plus advanced phishing kits — to bypass email authentication and Microsoft’s email defenses.

It’s clear that the masterminds behind these attacks possess above-average skills compared to your typical credential harvesting schemers.

A Not-So-Secure “Office 365 Update”

The first credential harvesting campaign, which initially bypassed Microsoft’s defenses and other email security layers before being discovered by Area 1 Security, involved emails containing purported instructions for applying an Office 365 security update, as detailed in Figure 1.

[Figure 1. Phishing Message with Office 365 Brand Spoof]

A bulk of the phishing messages had the Subject, “Important Service Changes”, and contained a number of sender display names that ranged from generic “no-reply” addresses to company-specific names.

However, other Subject lines, as observed in the additional related campaigns, included “PDF New Policy”, “PDF Service” and “Voice Message Received from Unidentified CallerID”. These related campaigns tailored the messages by also including the targeted company’s name in the Subject line.

To add legitimacy to the messages, an overwhelming majority of the observed phishing emails were sent from addresses with Microsoft-themed sender domains, such as microsoftoutlookwebservices[.]online and outlookonlinewebservices-com[.]online. The attackers also properly configured the SPF records for these domains to better ensure their messages passed email authentication.

In an effort to further avoid detection, the threat actors leveraged their Microsoft-imposter domains in the phishing attacks not long after they were registered.

This quick domain registration turnaround is a common tactic employed by scammers hoping to bait as many victims as possible before their newly registered domains are identified as phishing infrastructure.

In some cases, the attackers even compromised benign email accounts and used them to send the phishing messages in an attempt to stifle attribution to known actor-controlled phishing infrastructure. They also spoofed email addresses of poorly-configured legitimate sender domains, exploiting inherent weaknesses in email authentication protocols to allow them to easily evade phishing protection solutions.

Using Microsoft-themed update lures, the attackers appeared to take advantage of the general lack of security awareness that plagues most companies. Microsoft does not proactively send security alerts and updates of this nature via email to end-users, which should be the first sign of foul play. At most, a monthly security notification is sent to network administrators detailing recent Common Vulnerabilities and Exploits (CVEs).

However, because knowledge of an enterprise’s security update process is mostly unknown beyond the IT department, a significant number of employees could easily fall for this phish.

Ironically, fraudsters are constantly profiting off of angst surrounding ongoing cybersecurity scares, like the now-infamous SolarWinds breach, and they know that targets are likely to click out of fear that their noncompliance could be the source of another breach.

See Attachment to “Apply Update”

The phishing messages contained just enough details to lure unsuspecting targets into opening the attachment, which was either a PDF, HTML, or HTM file. Depicted in Figure 2 is an example of the PDF attachment, which contains redacted target information, including full name, email address, and company logo.


[Figure 2. Example PDF Attachment with Link to Office 365 Credential Harvester]

A majority of the targeted email accounts followed the format @, making the inclusion of full names in the attachments fairly effortless from an automated standpoint. However, even in cases where only initials appeared in the email address, the attackers still managed to include the target’s full name in the PDF attachment. This indicates that the threat actors conducted additional reconnaissance to carefully craft their phishing lures.

To fulfill the attacker’s request and “install” the feigned security update, the target would need to click on the “Apply Update” button, where they would be taken to one of several spoofed Office 365 login pages. This additional step for loading the credential harvesting site was only required if the target received a PDF attachment.

For both the HTML and HTM attachments, the credential harvesting site would automatically load in the victim’s browser once the file was opened. As shown in Figure 3, the attackers tried to avoid detection by using the JavaScript escape function to encode the HTML that loads the malicious web page.


[Figure 3. Encoded HTML For Loading Credential Harvesting Site]

Once the code is unescaped, as detailed in Figure 4, you can see how the attackers used HTML “meta” refresh to direct the victim’s browser to load the credential harvesting site.


[Figure 4. Decoded HTML For Loading Credential Harvesting Site]

This functionality is one small part of a fairly advanced phishing kit that enabled the attackers to, at least initially, sneak past Microsoft’s Office 365 native defenses, and several other email security solutions, before being identified and stopped by Area 1 Security.

Stealthy Office 365 Phishing Websites and Phishing Kits

Once the target opens the HTML or HTM attachment, or clicks the “Apply Update” button, their browser will follow a series of HTTP redirects and client-side redirects via JavaScript or Meta fields. For example, one of the many links in the phishing messages that Area 1 Security observed included:

hxxps://simpus3.bandungkab.go[.]id/?username=

If clicked, the target’s browser would then redirect to the URL:


hxxps://microsoftofficeonlineservices[.]outlookprivacypolicy[.]online/common/?client_id
=4345a7b9-9a63-4910-a426-35363201d503&response_mode=form_post&response_type=code+id_token&
scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dKZeFMEdbUJBGtfhET_m7H
pFINC_qWyaoYc_JS_C5znhJs0YOuquvhkEmzMzK3Ntri00CKVrHEJkyja-3DIXEvtgEaRE5mZ-jAKkVOhjSG4ud7eS1OS
BeHlkBsB4tQsqP&nonce=637037128007965152.ODZmZWY4MGMtYzYwNC00M2NjLThmZWEtYmE4OTJiNmI1MWE2OWQ
wYWVkZWQtMjE2My00ZDcyLWEwN2UtN2M3ODA3OGZiNWY3&redirect_uri=https%3a%2f%2fwww[.]office[.]com
%2f&ui_locales=en-US&mkt=en-US&client-request-id=c36fe010-0bb6-4e01-94f8-a8683b752a6d

As shown in Figure 5, this URL links to the landing page for the credential harvester, which displays a very convincing Microsoft-themed “privacy policy” statement.


[Figure 5. Fake Microsoft Privacy Policy Statement]

In the upper-right corner of the page is a uniquely photoshopped image of the Microsoft logo. Area 1 Security researchers overlaid this image on a black background, as depicted below, to highlight where the attackers edited the original logo.


[Figure 6. Photoshopped Microsoft Logo]

If the target clicks the “Accept” button on the privacy policy statement, they are further redirected to a fake Office 365 login page:


hxxps://microsoftofficeonlineservices[.]outlookprivacypolicy[.]online/common/oauth2-author
ize/#client_id=4345a7b9-9a63-4910-a426-35363201d503&response_mode=form_post&response_type=
code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dKZeFMEdbU
JBGtfhET_m7HpFINC_qWyaoYc_JS_C5znhJs0YOuquvhkEmzMzK3Ntri00CKVrHEJkyja-3DIXEvtgEaRE5mZ-jAKkVOh
jSG4ud7eS1OSBeHlkBsB4tQsqP&nonce=637037128007965152.ODZmZWY4MGMtYzYwNC00M2NjLThmZWEtYmE4OTJi
NmI1MWE2OWQwYWVkZWQtMjE2My00ZDcyLWEwN2UtN2M3ODA3OGZiNWY3&redirect_uri=https%3a%2f%2fwww[.]o
ffice[.]com%2f&ui_locales=en-US&mkt=en-US&client-request-id=c36fe010-0bb6-4e01-94f8-a8683b752a6d

The page looks identical to the legitimate login, and to appear all the more convincing, the logo associated with the domain of the targeted company is dynamically loaded. More specifically, the domain appearing in the target’s email address is used to grab the company logo from the site logo.clearbit.com (i.e., http://logo.clearbit.com/). For demonstration purposes, the fake email “[email protected][.]com” was used to illustrate how the phishing kit displays the Google logo based on the “google.com” domain found in the “victim” email address.


[Figure 7. Fake Office 365 Login]

In some cases, the attackers were even more stealthy by prefetching the localized Office 365 sign-in:
If the victim entered their email address, the attacker would verify it was a valid Office 365 address.
In instances where the entered email address used Conditional Access, a different single sign-on (SSO), Active Directory Federation Services (ADFS), etc., the phishing kit would essentially break and the victim would simply be redirected to the legitimate sign-in experience.

If the victim entered their password, it would be sent to the attacker as form data via an HTTP POST request to:

hxxps://microsoftofficeonlineservices[.]outlookprivacypolicy[.]online/common/oauth2-authorize/index[.]php

At this point, the attacker could gain full access to the victim’s email account, and possibly other systems or services if the victim reused their password.

A closer look at the source code for the credential harvesting sites revealed that the threat actors used free-use licenses for front-end web development to assist in creating an advanced phishing kit to clone the Microsoft login page.

For some of the observed campaigns, the phishing kit created different subdomains based on the email address hardcoded in the URL. Altering the email address would break the link and cause a redirect to either a spoofed Microsoft Service Agreement page, the Google homepage, or simply a blank page.

Unlike your typical run-of-the-mill credential harvesters where any email address can be entered as a URL parameter without affecting its functionality, this activity implies the threat actors were interested in a specific predetermined target list.

Another major difference in this phishing campaign compared to typical credential harvesters — and basic phishing kits for that matter — was the use of websockets to send screenshots back to the attackers on each click, in particular when a victim clicked the “Next” button after entering their email address and password.

Figure 8 highlights how JavaScript is used to execute the screenshot functionality and encode the resulting image in Base64.



[Figure 8. Evidence of Phishing Kit Base64-Encoding Screenshots]

It’s evident that the various campaigns observed by Area 1 Security leveraged an advanced phishing kit that used a variety of techniques as noted above, as well as a diverse set of phishing infrastructure.

At least nine different domains were used to host the credential harvesters. Four of these domains had Microsoft-themed names and appeared to be controlled by the attackers:

  • microsoftofficeonlineservices[.]com
  • outlookprivacypolicy[.]online
  • office-policy-center[.]com
  • ms365[.]us

Not surprisingly, the remaining domains were legitimate websites compromised by the attackers and co-opted for use in their phishing operations. There are a range of benefits for attackers in choosing benign sites to host malicious content, not the least of which includes the site’s positive reputation. It also reduces the attacker’s need to purchase infrastructure that could more easily be traced back to them.

Despite the fact that these credential harvesters spoofed a Microsoft login page, many of the sites remained active for a considerable time before being flagged as malicious and taken down. This game of “whack-a-mole” was hardly enough to deter these fraudsters. With each takedown, new phishing infrastructure quickly surfaced.

How to Stop Credential Harvesters

With threat actors well-equipped for stealing employee credentials, it is vital that companies prepare adequate defenses to protect users from falling victim to these login-themed attacks. As attackers continuously invent new ways to bypass defenses, including the use of advanced phishing kits, security practitioners need to turn to solutions on the cutting edge of email security technology in order to block these highly-damaging phishing campaigns.

New tactics and methods may be able to trick legacy vendors and cloud email providers such as Microsoft, but Area 1 Security’s cloud-native email security solution stops these attackers dead in their tracks. Our advanced Machine Learning and Artificial Intelligence technologies allow our algorithms to uncover new tactics used by malicious actors to bypass defenses in real-time (on average 24 days before industry benchmarks), versus waiting days or weeks for signature updates. Our time-zero detections lead the industry with reliable verdicts that stop phishing attempts at delivery time so that users are never exposed to the attack.

Indicators of Compromise

Phishing Email Subject Lines:

  • Important Service Changes
  • PDF New Policy
  • PDF Service
  • Voice Message Received from Unidentified CallerID –

Sender Display Names:

[Targeted Company Name] TOS

[Targeted Company Name] Outlook

[Targeted Company Name] Notice

[Targeted Company Name] Policy

[Targeted Company Name] Voicemail

[Targeted Company Name] Voicemail Box

No Reply

No-reply

noreply

Sender Addresses:

[email protected][.]microsoftoutlookwebservices[.]online

[email protected][.]microsoftoutlookwebservices[.]online

[email protected][.]online

[email protected][.]online

[email protected][.]microsoftoutlookwebservices[.]online

[email protected][.]microsoftoutlookwebservices[.]online

[email protected][.]microsoftoutlookwebservices[.]online

[email protected][.]microsoftoutlookwebservices[.]online

[email protected][.]microsoftoutlookwebservices[.]online

[email protected][.]microsoftoutlookwebservices[.]online

[email protected][.]online

[email protected][.]online

[email protected][.]online

[email protected][.]online

[email protected][.]online

[email protected][.]outlookonlinewebservices-com[.]online

[email protected][.]outlookonlinewebservices-com[.]online

[email protected][.]outlookonlinewebservices-com[.]online

[email protected][.]outlookonlinewebservices-com[.]online

[email protected][.]outlookonlinewebservices-com[.]online

[email protected][.]ru

[email protected][.]ru

[email protected][.]ru

[email protected][.]ru

[email protected][.]ru

[email protected][.]microsoftofficeonlinemessagecenter-com[.]ru

[email protected][.]microsoftofficeonlinemessagecenter-com[.]ru

[email protected][.]microsoftofficeonlinemessagecenter[.]com[.]ru

[email protected][.]microsoftofficeonlinemessagecenter[.]com[.]ru

[email protected][.]entrepreserves[.]com

[email protected][.]entrepreserves[.]com

[email protected][.]entrepreserves[.]com

[email protected][.]sollutiance[.]com

[email protected][.]unnetflow[.]com

Actor-Controlled Credential Harvesting Sites:

microsoftofficeonlineservices[.]com

outlookprivacypolicy[.]online

office-policy-center[.]com

ms365[.]us

Actor-Compromised Credential Harvesting Sites:

al-abdal[.]net

goatourspackage[.]com

perpustakaanarda[.]papua[.]go[.]id

satoshiation[.]com

simpus3[.]bandungkab[.]go[.]id

theeditorngr[.]com

Links Identified in Phishing Emails:

https://www[.]microsoftofficeonlineservices[.]com/b/service/?username=[target email address]

https://login[.]microsoftofficeonlineservices[.]com?e=[base64 encoded email]

https://login[.]microsoftonlineservices[.]office-policy-center[.]com/?e=[base64 encoded target email address]

http://ms365[.]us/account-login?e=[base64 encoded target email address]

https://goatourspackage[.]com/?e=[base64 encoded email]

https://simpus3[.]bandungkab[.]go[.]id/?username=[base64 encoded email]

https://al-abdal[.]net/outlook/test/?e=[base64 encoded email]

https://satoshiation[.]com/?e=[base64 encoded email]

https://theeditorngr[.]com/@?username=[base64 encoded target email address]

https://perpustakaanarda[.]papua[.]go[.]id?e=[target email address]

Malicious File Names:

[Targeted Company Name]_TOS-Updated_v<8-digit number].pdf

[Targeted Company Name]PDF Policy_v<8-digit number].pdf

[Targeted Company Name]_VoiceMessage<8-digit number].html

Microsoft-Policy-Updated.pdf

PolicyUpdate.htm

Modified Microsoft Logo Hashes:

MD5: 900b8133ac181eedbbd698ee2a2fabbc

SHA1: 1106889AAA1BAFF9F00904BE335F5A373EE7C059

SHA256: 29256ABAEC0B1325152FC8ADDA5EF62E3BCAE45860A004221EC027321436FEBF

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!

 

Understanding the Four Business Email Compromise Attack Types

Business Email Compromise (BEC), also sometimes referred to as email account compromise (EAC) or vendor email compromise (VEC), is a type of phishing attack that takes advantage of an existing relationship between a victim and organization.

Area 1 Security Announces the Most Spoofed Brand of 2021

Dear America’s sports-loving, company-securing fans: Before you find yourself glued this weekend to (what some call) THE biggest game in college basketball history, we are here to crown the 2022 March Hackness winner!

2022 March Hackness: The Return of the Phishing Bracket

Area 1 Security’s Sixth Annual March Hackness: The Perfect Phishing Bracket is here! Learn who made the list of the top brands that attackers use in phishing lures.