Security News Office 365 Biz Users Targeted in Novel Phish Scheme

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A new attack method to steal Office 365 business email credentials has been uncovered, which goes undetected by Microsoft’s Office 365 default security and bypasses desktop email filters.

Avanan cloud security researcher Gil Friedrich explained that what makes this attack different is that instead of fooling the user, it was designed to fool the anti-phishing filters. It leverages what appears to be a vulnerability in how Office 365 anti-phishing and URL-reputation security layers translate Punycode, a method for encoding domain names with Unicode characters.

Punycode is a method added to the Domain Name System (DNS) in order to support non-ASCII characters within a web URL. For example, the Swiss bookstore bücher.ch would have an ASCII URL of xn—bcher-kva.ch which renders the non-ASCII umlaut ü. So, attackers can use non-ASCII characters to fool end-users into clicking URLs that look legitimate, but substitute similarly-shaped letters from different alphabets to spoof the site.

A recent example was captured by Avanan in Germany. A company's users were sent an email, pretending to be a tracking update from FedEx, with a link. Office 365 anti-phishing tools interpreted the ASCII version as a link that took them to a benign web server in Berlin. When users clicked on the link, however, their desktop browser interpreted the link as its Punycode equivalent, which led to a malicious server in Belfast instead.

The user sees a fake Office 365 login page, where they are asked to put in their credentials. Once the Office 365 usernames and passwords have been compromised, the hackers can run amok, installing malware, sending emails to other users in the victim's address book, accessing the user's OneDrive account to download files, or steal company secrets or other customer information, such as customer SSNs, credit card numbers, email addresses and so on.

The attack could be used to target any email service. But “with the growth in Office 365 for corporate email, hackers are shifting their focus,” said Friedrich. “The characteristics of this particular attack discloses the hacker’s intention to deceive Office 365 users into providing their login credentials. Almost all instances of this email have been found within corporations that use Office 365 for their corporate email and, the landing page for each of the malicious URLS is a fake Microsoft login which specifically asks for a ‘business email’ account.

Also see: Office-Themed Phishes Have 20% Success Rate
 

soccer97

Level 11
Verified
May 22, 2014
517
A new attack method to steal Office 365 business email credentials has been uncovered, which goes undetected by Microsoft’s Office 365 default security and bypasses desktop email filters.

Avanan cloud security researcher Gil Friedrich explained that what makes this attack different is that instead of fooling the user, it was designed to fool the anti-phishing filters. It leverages what appears to be a vulnerability in how Office 365 anti-phishing and URL-reputation security layers translate Punycode, a method for encoding domain names with Unicode characters.

Punycode is a method added to the Domain Name System (DNS) in order to support non-ASCII characters within a web URL. For example, the Swiss bookstore bücher.ch would have an ASCII URL of xn—bcher-kva.ch which renders the non-ASCII umlaut ü. So, attackers can use non-ASCII characters to fool end-users into clicking URLs that look legitimate, but substitute similarly-shaped letters from different alphabets to spoof the site.



Also see: Office-Themed Phishes Have 20% Success Rate


There are other similar malware malware going around targeting business and enterprise users (At least I am using Office 365 - and an enterprise version for a short period of time). Unfortunately, they are nasty ones- some distributing Ransomware. Source (I have received some of said emails) - fortunately, I disabled attachment preview a long time ago and keep everything up to date.

These include:
Your mailbox is full
-A zip file, flat out with no subject or text in the body of the message
-A message with a malicious link that is intended for social engineering.

Others with various topics.

Analyzing the message header guess where the majority originate from...... .Ru domains.

Watch out for spoofed email addresses, as they look real.
 

soccer97

Level 11
Verified
May 22, 2014
517
There are other similar malware malware going around targeting business and enterprise users (At least I am using Office 365 - and an enterprise version for a short period of time). Unfortunately, they are nasty ones- some distributing Ransomware. Source (I have received some of said emails) - fortunately, I disabled attachment preview a long time ago and keep everything up to date.

These include:
Your mailbox is full
-A zip file, flat out with no subject or text in the body of the message
-A message with a malicious link that is intended for social engineering.

Others with various topics.

Analyzing the message header guess where the majority originate from...... .Ru domains.

Watch out for spoofed email addresses, as they look real.



Following up....it was ransomware - and the domain has been blocked. Watch for a lot of emails seeming to come within a short period of time (usually 3-5 days). They appear to come from legitimate addresses, until you hover over the center. When you view the header you will b e g;ad you didn't open it!
 
  • Like
Reactions: DardiM

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Seems Microsoft Smartscreen should be more in action to prevent any kind of phishing and unsolicited e-mails.

With hundreds thousands to millions of e-mails transmitted daily, the techniques of intruders are literally same only.
 

soccer97

Level 11
Verified
May 22, 2014
517
Seems Microsoft Smartscreen should be more in action to prevent any kind of phishing and unsolicited e-mails.

With hundreds thousands to millions of e-mails transmitted daily, the techniques of intruders are literally same only.


Yes, you would think that for the subscription fees they charge, they need to be competitive such as maybe contracting with Barracuda?
 
  • Like
Reactions: DardiM

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
@soccer97: They are already in the competitive stage however not in the alignment of security aspect but rather convenience to other users.

Although Microsoft's security enhancement is indeed improved but not widely effective in majority.
 

soccer97

Level 11
Verified
May 22, 2014
517
@soccer97: They are already in the competitive stage however not in the alignment of security aspect but rather convenience to other users.

Although Microsoft's security enhancement is indeed improved but not widely effective in majority.


I will agree. I think a layered approach is good especially when you have a domain wit 1000 or so mailboxes - catch that message before it hits the users mailbox. Barracuda, Proofpoint and other companies are good add-ons or adjuncts.

To Microsoft's Credit though - their spam filter/quarantine is getting better - particularly at the obvious ones. I would say they are in the process of getting competitive with Gmail.
 
  • Like
Reactions: jamescv7

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top