According to the cybersecurity firm, the threat actors behind the campaign delivered a phishing lure that impersonated Microsoft and its Office 365 brand. However, to make their lure appear more legitimate, the cybercriminals used multiple validated domains that did not belong to the software giant including one domain that belonged to an educational institute.
Victims who clicked on the link in the phishing emails were presented with a spoofed login for Office 365 where the hackers would harvest their user credentials.
- Hackers target Office 365 business accounts
- Hackers spoofing US postal service to trap victims
- Also check out the best identity theft protection services
PhishLabs observed that a wide variety of enterprises and industries were targeted by the campaign which means that those behind it were not targeting any specific companies or industries.
There are several reasons why the threat actors targeted administrative credentials including the fact that Office 365 admins have administrative control over all email accounts on a domain.
Depending on how Office 365 is configured by an organization, a compromised admin account could allow an attacker to retrieve user emails or even completely takeover other email accounts on the domain. Office 365 admins also often have elevated privileges on other systems within an organization and this could potentially allow for other systems to be compromised via password reset attempts or by abusing single-sign-on systems.
By compromising an admin account, attackers can also create new accounts within an organization to abuse single-sign-on systems or they could leverage the reputation of a compromised domain in order to launch a new wave of attacks.
During the campaign discovered by PhishLabs, the attackers were able to gain some level of administrative control over the sender’s Office 365 installation. After this they created a new account which was used to distribute the campaign and this technique is often employed by hackers to further avoid detection.
To avoid falling victim to this latest phishing campaign, PhishLabs recommends that users avoid opening suspicious emails with the subject line “Re: Action Required!” or “Re: We placed a hold on your account”.
- We’ve also rounded up the best antivirus software