Cybercriminals Going After Office 365 Administrators, Using Hijacked Accounts to Perform Phishing Attacks

Although phishing is a relatively simple social engineering scam, that doesn’t prevent cybercriminals from continuously refining old techniques and experimenting with new ones. Two phishing trends have recently been gaining traction: going after Microsoft Office 365 administrators and using compromised legitimate accounts for phishing. These techniques make phishing attempts convincing enough that individual users will have a difficult time identifying them without a comprehensive machine learning-powered security solution.

[READ: Cybercriminals are making use of HTTPS for phishing attacks]

Fooling Microsoft Office 365 administrators with fake alerts

Phishing attacks have traditionally been crafted to trick end users. However, this meant that the attacker had access only to the victim’s files and to the areas where they had permissions. Bleeping Computer noted that instead of going for individual employees, cybercriminals have been sending phishing emails specifically targeting Microsoft Office 365 administrators — a move that, if successful, would allow them to gain administrative control over an organization’s Office 365 domain and accounts.

The phishing campaigns involve fake Office 365 alerts. These fake alerts, which are well-crafted and include the actual Office 365 logo, are meant to portray urgency by making it appear that the administrator needs to deal with time-sensitive concerns — for example, a notification that the company’s licenses have expired. The fake email typically includes links that prompt the administrator to login and fix whatever issue is being brought up. As expected, the links lead to a phishing website that asks the user to enter their Microsoft credentials.

A threat actor obtaining Office 365 administrator privileges can have dire consequences for an organization, the most obvious being unauthorized access to user emails. Another possible scenario is that cybercriminals can create user accounts under the company’s domain and then use those accounts to send additional phishing emails. Once the cybercriminal uses the legitimate domain, it becomes difficult for users to discern a legitimate message from a malicious one.

Use of hijacked accounts for phishing on the rise

In addition to going after admin accounts, cybercriminals are also turning to hijacked accounts to perform phishing attacks — a technique called lateral phishing. A report released by Barracuda Networks points out that one in seven organizations — totaling over 100,000 recipients — had been victims to this form of phishing attack. Approximately 40% of the recipients were coworkers, while the rest formed a variety of targets, from partner companies to people in the contact list of the hijacked account.

Lateral phishing makes for an ideal social engineering technique since the use of hijacked legitimate accounts makes it tricky even for the most cautious users to realize that they’re the recipient of a malicious email.

Best practices to defend against phishing attacks

As phishing attacks become increasingly complex, the need to properly secure enterprise systems and endpoints becomes even more important. While there is no silver bullet for weeding out all possible permutations of phishing attacks, a combination of the following best practices has been proven to yield good results.

• Be aware of what phishing attacks look like. Unusual email addresses, a large number of grammatical errors, and generic-looking messages that look like they were meant to be sent to a large number of recipients are typical phishing red flags users should look out for.
• Refrain from downloading attachments and clicking URLs even if they come from a trusted source. As mentioned in this article, the use of hijacked accounts to send phishing emails is gaining popularity among cybercriminals. Thus, users should refrain from visiting links and downloading files, especially if the email seems suspicious and out of context.

Trend Micro solutions powered by machine learning

The sheer number of emails a person has to check in a day makes checking and filtering each individual email an unwanted but necessary chore. Fortunately, today’s modern security technology, such as the Trend Micro^™ Cloud App Security^™ solution, can help detect even the most convincing phishing attempts without requiring the user to spend too much time confirming the legitimacy of received emails. It employs machine learning (ML) to perform sender, content, and URL reputation analysis followed by an inspection of the remaining URLs using computer vision and AI to check if website components are being spoofed. In addition, it can also detect suspicious content in the message body and attachments as well as provide sandbox malware analysis and document exploit detection.