Using a mix of fake admin alerts and a spoofed logon page, this newest campaign preys on Office 365 admins. To make it worse, the fake logon pages are using certificates issued by Microsoft to add that little touch of authenticity!
Cyber-criminals that use phishing as their attack of choice know two things make a successful campaign, context and urgency. In this latest attack covered by Bleeping Computer, it looks like scammers have figured out the perfect angle to include both.
IT pros are taken to an Azure-based windows.net site that mimics Office 365’s logon.
The landing page even uses an SSL certificate published by Microsoft:
Using fake Office 365 alerts citing expiration of licenses or an issue that requires investigation, the scammers are hoping to take advantage of IT’s desire to make certain Office 365 is available and licensed. With around half of all businesses using Office 365, this tactic makes a lot of sense – the phishing email is applicable to as much as half of all recipients (assuming they are all IT pros), and the alert aspect creates the urgency needed to trick IT into clicking the link.
Unfortunately, many network and mail admins are not properly trained to be IT Admins and were simply thrust into this position because the company couldn’t afford a dedicated IT admin and nobody better was available.
It’s another instance of taking basic security steps would help prevent such an attack and they are:
1) Multi-Factor Authentication – Use of multiple factors authentication beyond just SMS should be in use for every IT professional with elevated access.
2) Security Awareness Training – Even members of IT need to go through Security Awareness Training so they are practicing what they preach. Usually, it’s poor wording or HTML that gives away a phishing email, but attackers are getting better at their craft and IT shouldn’t assume they’ll always be able to spot the bad guys.