Online Phishers Are Going After Microsoft Office 365 Administrator Accounts Using This Clever Scam

If your organization uses Office 365, you have probably seen phishing emails that target your community by now. However, it’s one thing when phishing attacks target regular users, and it’s an entirely different story when criminals aim for the Microsoft Office 365 administrator account. After all, if an admin account is compromised, the repercussions could reach other users across different levels, too.

We will use this blog entry to tell you more about the Office 365 credential theft, and then we will go through the anti-phishing protection guidelines offered by Microsoft. Although the settings recommended by the company are just the first step towards a secure virtual environment, taking that step is crucial if you want to protect your system.

The Phishing Attack against Microsoft Office 365 Administrator Accounts

The attempts to compromise Office 365 accounts are carried out every single day. Bigger phishing campaigns get detected by security specialists, who share this vital information on their blogs. The phishing attack that we want to talk about was first revealed by PhishLabs in November 2019.

According to the report, the malicious emails were delivered to multiple Microsoft Office 365 administrator accounts. These emails were called “phishing lures” because their intention was to lure the admins into giving away sensitive information.

While it is quite common for regular users to get tricked into giving away their personal credentials, one would expect that system admins are a lot more careful about that. Seemingly, it was also what the threat actors thought, too, because the phishing lure emails masqueraded as official notifications from Microsoft sent from various validated domains.

What is a validated domain? Well, think of a domain that wouldn’t look suspicious at all. For example, if you received an email with university initials in its domain name, you would be more likely to trust that email, wouldn’t you? This is exactly how this scam works: the validated domains might not belong to Microsoft, but they look reliable, and thus, admins might be lured into licking the links in those phishing lures.

The moment they click the link, however, they get redirected to a fake Office 365 login page. It looks just like the regular one, and if the admin enters their login credentials, the crooks can steal them and use it to access the system. Needless to say, an admin level phishing attack raises a lot more security concerns.

According to the report by PhishLabs, depending on the Office 365 configuration, the compromised admin account could allow cybercriminals to take over other email accounts within the domain, too. Not to mention that sometimes admin privileges allow them to reset forgotten passwords and configure single-sign-on preferences. Hence, if an admin account is compromised, the entire system could be in danger of severe data theft.

Aside from stealing the information through this phishing attack, hackers could create new accounts on the compromised domain. Also, once the criminals have a certain domain under their fingertips, they can use the domain’s resources to send out more phishing lures to other systems. Thus, a vicious circle of phishing attacks never ends. In fact, the fact that someone receives these phishing lures just proves that some domains have already been compromised. And this leads us to another point.

What’s So Special About This Phishing Attack?

As we have already mentioned, this scam stands out because it targets admin accounts. However, there is one more thing that makes it extremely sneaky. That would be using the infrastructure of a legitimate organization. Using a legitimate domain allows these scammers to avoid the usual email filters that redirect spam into the Junk folder. Also, when such messages reach the main inbox, even admins are more likely to find them believable.

Another interesting point is that the admins of compromised domains that are used for this phishing attack cannot notice the malicious activity. The research shows that scammers create new accounts on the affected domains to send out spam, and so no legitimate account users notice the outgoing mail. It’s not the email accounts that get exploited, but the domain itself.

How to Avoid Phishing Attacks

Security specialists argue that everyone should be wary of such phishing attacks because it doesn’t seem like one specific enterprise or industry is being targeted at the moment. Administrators just have to be wary of emails that come with such subject lines as “Re: Action Required!” or “Re: We placed a hold on your account.”

Instead of clicking the URLs in the message, an admin is advised to contact their IT department immediately. Your enterprise might have various methods to counter such email incidents, but double-checking the email content is always a good starting point.

Microsoft offers these guidelines that should help you enhance Office 365 protection against phishing attacks.

How to enhance Office 365 protection

  1. Access the admin center and select Security.
  2. Go to Threat Management, choose Policy, and go to ATP Anti-phishing.
  3. Choose Default Policy and select Edit in the Impersonation section.
  4. Open Add domains to protect and select to automatically include your domains.
  5. Open Action, click the drop-down If email is sent by an impersonated user.
  6. Select the action you want and choose Turn on impersonation safety tips.
  7. Choose the tips you want and click Save.
  8. Go to Mailbox intelligence and make sure it’s turned on.
  9. Select Add trusted senders and domains to add reliable domains and email addresses.
  10. Go to Review your settings and click Save.
  11. Press Close and exit the menu.

Aside from employing the most basic security measures, it is always highly recommended to constantly remind the regular users of the dangers behind phishing attacks. Sometimes a serious problem may begin with one stray phishing email that a distracted user interacts with without any second thought.

Admins should consider educating users about the importance of strong passwords and multi-factor authentication. Password managers are also highly recommended, and if you want to know how that works, you can see it for yourself by clicking the orange FREE 30-Day Trial button on the right.

February 6, 2020

Leave a Reply