[Related: The Rising Tide of Credential Phishing]
Here, we analyzed some of the tools that many companies use for WFH arrangements: Outlook on the web (formerly known as Outlook Web Access) and other Office 365 applications such as SharePoint, and videoconferencing apps WebEx and Zoom.
Credential phishing using Outlook on the web and Office 365 as bait has hit users in several countries. Data from our Smart Protection Network indicates over 50,000 phishing detections from January 2020 to April 27 of the same year, with the threats affecting users in the United States, Germany, Canada, Taiwan, Japan, Australia, Hong Kong, and other countries.
Figure 1. Phishing detections related to Office365 and Outlook from January to April 2020
Figure 2. Top countries with users encountering phishing attempts related to Office365 and Outlook
Employees commonly use Outlook mailbox in the office but some use the Outlook for the web version when accessing email outside the office. If not careful, they may mistakenly attempt to log in to a phishing page designed to look like Outlook’s login page.
Figure 3. Fake login page of Outlook for the web
Many employees are accessing files and collaborating online through Office 365. Sites associated with this are also spoofed and used as phishing campaign lures. The 2019 Cloud App Security Report also found that the number of unique Office 365-related phishing links blocked in 2019 jumped to more than double 2018’s total, according to data from the Trend Micro Smart Protection Network infrastructure. We also found that these threats not only targeted users, but also those who have administrator accounts.
Figure 4. Fake Microsoft login page
Figure 6. Top countries with users encountering phishing attempts and other threats related to Zoom and WebEx
Figure 8. Spoofed login page of Zoom
Threat actors either compromise legitimate sites or create malicious domains to host phishing pages. We traced the IP hosting locations of the sources of these domains and found that the United States has the highest unique IP count, with at 833. Trailing far behind is the Netherlands at 78 and Germany at 44.
Phishing pages targeting Office365 and Outlook on the web users
Phishing pages targeting WebEx and Zoom users
Download sites of fake WebEx and Zoom apps
Other malicious sites related to WebEx and Zoom
SHA-256 | Trend Micro Pattern Detection |
2e3fc390e6b74d86e3535cd2cc0fd864c8cae0b9434cce12063a289d03e7ba10 |
PUA.Win32.InstallCore.THCCABO
|
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.