Microsoft Warns Against Sophisticated Phishing Campaign

Microsoft Security Intelligence tweeted out a warning for a phishing campaign that is currently ongoing and is more involved and elaborate than most. The phishing attacks are targeting Office 365 users and organizations and use a number of convincing lures.

The campaign uses spoofed sender email addresses as well as the target domain, all in an effort to look as legitimate as possible and pass through any automated email filters.

Microsoft warns that the sender's address string will contain different versions of the word "referral" and come from different domains, including com dot com, which according to Microsoft's researchers is a common sight in spoofing.

The campaign also uses compromised SharePoint pages that ask victims to enter their login credentials, which are then stolen. SharePoint appears in the email messages too, supposedly sharing a file that has something to do with wither "bonuses", "pricebooks" or "staff reports", as per the tweet.

The link to the file used as bait refers to the malicious SharePoint fake login page that steals the victim's credentials.

If picked apart and examined closely, the phishing email contains two problematic URLs, both with "malformed HTTP headers", as per the report. One of those URLs points to a Google App Engine AppSpot domain - a storage service used for web apps. Once the user logs into that page, they are referred to a spoofed Office 365 page that phishes out their credentials.

The operators running the phishing campaign have also used legitimate storage services and URLs to host their malicious phishing pages, the report states. Those include both Google and Microsoft, as well as URLs from Digital Ocean.

Microsoft has noted that the campaign is more involved that most run of the mill phishing efforts, using convincing-looking logos embedded in the emails and going the extra mile to evade detection.

August 2, 2021