02-04-2021 , 06:35 PM
A savvy phishing campaign manages to evade native Microsoft security defenses, looking to steal O365 credentials.
A phishing campaign bent on stealing Microsoft login credentials is using Google Firebase to bypass email security measures in Microsoft Office 365, researchers said.
Researchers at Armorblox uncovered invoice-themed emails sent to at least 20,000 mailboxes that purport to share information about an electronic funds transfer (EFT) payment. The emails carry a fairly vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contain a link to download an “invoice” from the cloud.
Clicking that link begins a series of redirects that eventually takes targets to a page with Microsoft Office branding that’s hosted on Google Firebase. That page is of course a phishing page, bent on harvesting Microsoft log-in information, secondary email addresses and phone numbers.
The attackers could use the information to take over accounts and steal information, but they could wreak other havoc as well.
“Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances and family members,” according to Armorblox.
Microsoft O365 Attack Flow
The link in the email claims to download a file called “Payment Notification – PDF.” It takes users to a landing page, which researchers said has a supposed “download” button on the top right. Hovering over the link shows that the file is hosted on Google Firebase, which is a development environment for building custom web and mobile apps – for, say, internal enterprise use.
“The downloaded ‘invoice’ might have PDF in its file name, but it’s actually an HTML file,” explained Armorblox researcher Rajat Upadhyaya, in a blog on Thursday. “Opening an HTML file loads an iframe with Office 365 branding. The page displays a thumbnail along with a link to view the invoice.”
Clicking the thumbnail or “View File” link leads to the final phishing page, asking victims to log in with their Microsoft credentials, and asks them to provide alternate email addresses or phone numbers – an effort to collect data that could be used to get around two-factor authentication (2FA) or account recovery mechanisms.
After the details are loaded, the login portal reloads with an error message, asking the user to enter correct details.
“This might point to some backend validation mechanism in place that checks the veracity of entered details,” Upadhyaya said. “Alternately, attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.”
Continue reading HERE
A phishing campaign bent on stealing Microsoft login credentials is using Google Firebase to bypass email security measures in Microsoft Office 365, researchers said.
Researchers at Armorblox uncovered invoice-themed emails sent to at least 20,000 mailboxes that purport to share information about an electronic funds transfer (EFT) payment. The emails carry a fairly vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contain a link to download an “invoice” from the cloud.
Clicking that link begins a series of redirects that eventually takes targets to a page with Microsoft Office branding that’s hosted on Google Firebase. That page is of course a phishing page, bent on harvesting Microsoft log-in information, secondary email addresses and phone numbers.
The attackers could use the information to take over accounts and steal information, but they could wreak other havoc as well.
“Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances and family members,” according to Armorblox.
Microsoft O365 Attack Flow
The link in the email claims to download a file called “Payment Notification – PDF.” It takes users to a landing page, which researchers said has a supposed “download” button on the top right. Hovering over the link shows that the file is hosted on Google Firebase, which is a development environment for building custom web and mobile apps – for, say, internal enterprise use.
“The downloaded ‘invoice’ might have PDF in its file name, but it’s actually an HTML file,” explained Armorblox researcher Rajat Upadhyaya, in a blog on Thursday. “Opening an HTML file loads an iframe with Office 365 branding. The page displays a thumbnail along with a link to view the invoice.”
Clicking the thumbnail or “View File” link leads to the final phishing page, asking victims to log in with their Microsoft credentials, and asks them to provide alternate email addresses or phone numbers – an effort to collect data that could be used to get around two-factor authentication (2FA) or account recovery mechanisms.
After the details are loaded, the login portal reloads with an error message, asking the user to enter correct details.
“This might point to some backend validation mechanism in place that checks the veracity of entered details,” Upadhyaya said. “Alternately, attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.”
Continue reading HERE