Microsoft Warns Office 365 Users of 'Sneaky' Phishing Campaign


Microsoft's Security Intelligence staff has issued an alert to Office 365 users and administrators to watch out for a sneaky phishing email with fake sender addresses.

Researchers at Microsoft noticed an active campaign targeting Office 365 organizations with cogent emails and several strategies to evade phishing detection, including an Office 365 phishing page, Google cloud web app hosting, and an exploited SharePoint site that entices victims to write in their credentials.

“An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters," the Microsoft Security Intelligence team said in an update. 

“The original sender addresses contain variations of the word "referral" and use various top-level domains, including the domain com[.]com, popularly used by phishing campaigns for spoofing and typo-squatting.”

The fraudsters are using Microsoft SharePoint in the display name to tempt victims to click the link. Researchers identified phishing emails that seemed as if they were sent from a trusted source. Many of these emails contained a "file share" request to access bogus "Staff Reports", "Bonuses", "Pricebooks", and other content hosted in a supposed Excel spreadsheet. It also contained a link that navigates to the phishing page and plenty of Microsoft branding.

“The emails contain two URLs that have malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page,” Microsoft notes.

Phishing campaigns have skyrocketed with the emergence of remote jobs due to Covid-19. It continues to be a tricky issue for businesses to stamp out, requiring regularly updated phishing awareness training and technical solutions, like multi-factor authentication on all accounts – which both Microsoft and CISA highly recommend. 

According to the FBI's latest figures, phishing attacks have cost Americans more than $4.2 billion last year. Fraudsters employ business email compromise (BEC) attacks, which rely on compromised email accounts or email addresses that are similar to legitimate ones, and are difficult to filter as they blend within normal, expected traffic. BEC attacks are far more costly than high-profile ransomware attacks.

Researchers at Microsoft have published details on GitHub regarding the architectures connected to the spoofed emails mimicking SharePoint and other products for credential phishing. "The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages," Microsoft added.