A new spear-phishing campaign has been discovered that uses spoof Microsoft Exchange emails to target Office 365 users. The well-coordinated attack has a broad range of targets but appears to be predominantly focused on Office 365 users within several key industries, including healthcare, insurance, financial services, and manufacturing.
Security researchers at email security platform IRONSCALES discovered the attack after finding that almost 100 of its customers were being targeted. The attack employs a sophisticated domain spoofing technique that makes it difficult to determine whether the phishing email is genuine or not.
Attackers send a message claiming to be from “Microsoft Outlook,” asking users to retrieve an email that has been marked as phishing or spam communications – a relatively new Office 365 feature. The reclaimed message states that it is urgent that the user clicks on a contained link. The link then redirects them to a fake Office 365 login page, where their credentials are harvested by the attacker.
If in doubt, don’t click
This particular spear-phishing campaign employs domain spoofing, which isn’t usually particularly successful – in fact, exact domain spoofs constitute less than 1% of email spoofing attacks that bypass email gateways. Normally, the domain-based message authentication, reporting & conformance (DMARC) protocol stops these fake messages in their tracks – but not in this case.
“Our research found that Microsoft servers are not currently enforcing the DMARC protocol, meaning these exact domain spoofing messages are not being rejected by gateway controls, such as Office 365 Exchange Online Protection and Advanced Threat Protection,” Lomy Ovadia, the vice president of R&D at IRONSCALES, explained. “This is especially perplexing when considering Microsoft frequently ranks as a top-five most spoofed brand year after year.”
For any email provider, a successful phishing campaign provides an opportunity to reflect on how its security protocols could be improved. For Microsoft, the fact that attackers are able to use its own domain and, even, a newly launched Office 365 feature against them is particularly embarrassing.