Real Estate Phish Swallows 1,000s of Microsoft 365 Credentials

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Thousands of Microsoft 365 credentials have been discovered stored in plaintext on phishing servers, as part of an unusual, targeted credential-harvesting campaign against real estate professionals.

The attacks showcase the growing, evolving risk that traditional username-password combinations present, researchers say, especially as phishing continues to grow in sophistication, evading basic email security. Researchers from Ironscales discovered the offensive, in which cyberattackers had compromised email account credentials for employees at two well-known financial-services vendors in the realty space: First American Financial Corp., and United Wholesale Mortgage. The cybercrooks are using the accounts to send out phishing emails to realtors, real estate lawyers, title agents, and buyers and sellers, analysts said, in an attempt to steer them to spoofed Microsoft 365 login pages for capturing credentials.
The emails alert targets that attached documents needed to be reviewed or that they have new messages hosted on a secure server, according to a Sept. 15 posting on the campaign from Ironscales. In both cases, embedded links direct recipients to the fake login pages asking them to sign into Microsoft 365. Once on the malicious page, researchers observed an unusual twist in the proceedings: The attackers tried to make the most of their time with the victims by attempting to tease out multiple passwords from each phishing session. "Each attempt to submit these 365 credentials returned an error and prompted the user to try again," according to the researchers' writeup. "Users will usually submit the same credentials at least one more time before they try variations of other passwords they might have used in the past, providing a gold mine of credentials for criminals to sell or use in brute-force or credential-stuffing attacks to access popular financial or social-media accounts."

The care taken in the targeting of victims with a well-thought-out plan is one of the most notable aspects of the campaign, Eyal Benishti, founder and CEO at Ironscales, tells Dark Reading.
Also notable (and unfortunate) in this particular campaign, a basic security control apparently failed. In the initial round of phishing, the URL that targets were asked to click didn't try to hide itself, researchers noted — when mousing over the link, a red-flag-waving URL was displayed: "hxxps://phishingsite.com/folde...[dot]shtm." However, subsequent waves hid the address behind a Safe Links URL — a feature found in Microsoft Defender that's supposed to scan URLs to pick up on malicious links. Safe Link overwrites the link with a different URL using special nomenclature, once that link is scanned and deemed safe.

In this case, the tool only made it harder to visually inspect the actual in-your-face "this is a phish!" link, and also allowed the messages to more easily get past email filters. Microsoft did not respond to a request for comment. "Safe Links has several known weaknesses and generating a false sense of security is the significant weakness in this situation," Benishti says. "Safe Links didn’t detect any risks or deception associated with the original link, but rewrote the link as if it had. Users and many security professionals gain a false sense of security because a security control in place, but this control is largely ineffective."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top