Office 365 phishing baits remote workers with fake VPN configs


Level 70
Content Creator
Malware Hunter
Aug 17, 2014
Microsoft Office 365 customers are targeted by a phishing campaign using bait messages camouflaged as notifications sent by their organization to update the VPN configuration they use to access company assets while working from home.

The phishing emails impersonating VPN configuration update requests sent by their company's IT support department have so far landed in the inboxes of up to 15,000 targets according to stats from researchers at email security company Abnormal Security.

These phishing messages are a lot more dangerous because of the huge influx of employees working remotely and using VPNs to connect to company resources from home for sharing documents with their colleagues and accessing their orgs' servers.

The attackers are spoofing the sender email address in the phishing emails to match the domains of their targets' organizations and embed hyperlinks that instead of directing the recipients to new VPN configs send them to phishing landing sites designed to steal their Office 365 credentials.

"Numerous versions of this attack have been seen across different clients, from different sender emails and originating from different IP addresses," Abnormal Security explains.
"However, the same payload link was employed by all of these attacks, implying that these were sent by a single attacker that controls the phishing website."