An on-going phishing campaign is targeting administrators of Microsoft Office 365.
Administrators of Office 365 are being warned as a large-scale phishing campaign is working to steal their credentials and gain access to the systems they manage.
Reasons for specifically targeting admin users are myriad and include:
- Retrieving user emails
- Resetting users passwords
- Using Single Sign-On (SSO) to access other systems
- Create new users
- Send out further attacks from the compromised domain, using the reputation of the domain to bypass additional security measures
The last point above is highly significant as it has been confirmed to be a component of the attack, as emails have been observed from multiple validated domains.
The email, pictured below, is a convincing invoice notification appearing to come from Office 365.
Should the victim click on any of the links, they are taken to a fake landing page, pictured below, which harvests their administrative credentials.
What’s known about the emails:
The details below have been taken directly from the phishing emails.
Sender
“Services admin center”<MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@[domain].com>
URLs used
- http://www.clinicaccct[dot]com/srvt/index.php?m=[domain]@email.com
- http://www.aranibarcollections[dot]com/srvt/index.php?m=[domain]@email.com
Email Subjects
- Re: We placed a hold on your account
- Re: Action Required!
None of the techniques used in this phishing scam are new, though they are still proving to be very effective.
This highlights the need for effective Security Awareness Training to reduce the number of successful phishing attempts each day.
At Phishing Tackle, we work hard to educate and test our customers, helping to bring their Click-Prone® score down and thus raise cyber-security within their business.
There really is no substitute for security-savvy staff, and we urge you to look at our pricing page to see how affordable we really are.
Data source: Phishlabs