Office 365 Phishing

In the month of September 2018 I got a sample of a phishing e-mail that was sent to a mailbox in Office 365. In this post we break down what we have discovered analyzing the phishing attempt.

The Phish

The e-mail sender was spoofed and the name of a superior of the target was used. As social engineering technique this is a classic because nobody can afford not to read an email from one of her or his superiors. This was the way the threat agent tried to build pressure on the target.

The email itself contained an image of a Microsoft office document (Word, Excel and PowerPoint) and a link. What the threat agent did here was abuse the familiar sight of the Microsoft office icons and put a malicious link next to it.

The pressure of the superior sending you an email combined with a familiar image and the fact that we are trained to click on links made the target click. You might not if you know it is coming but remember that this is just one email between many others and you are not paid to read emails but have to do other things too.

When I analyzed the malicious link it resulted in a phishing site that was familiar to the target since it looked like the login page of Office365.

Office365 Phishing page
Office365 Phishing page

Why do threat agents want your login?

Office365 migrations have been going on for a while now the reason for this is that running a Microsoft Exchange server is not that easy and using Office365 simplifies e-mail and the high availability a lot.

By gaining to an organizations e-mail a threat agent can study an organization and manipulate for example its payments. One of the reoccurring techniques observed in the wild is the email address forwarding.  This means that the threat agent sets up an email address to get a copy of each of the victims.

The threat agent also has access to all company information shared on the office365 sharepoint and the internal calendars.

Now keep this picture in mind, you know everything you can know about an organization and have the capability to spoof email. What is stopping you to commit CEO fraud or sending out fake information to partners so that they pay the bills to a new bank account which belongs to one of your money mules.

Phishing Kit Analysis

To analyze the phishing kit I first tried to get to one directory up. This directory was not protected and thus we could see that the directory was created the same morning as the phishing e-mail was sent.

This is usually the way this works.  The criminal takes into account that a take down attempt will follow and thus has a list of hacked servers ready to start a new phishing site on a daily basis.

The login page showed that the login form does a HTTP POST to pass.php where you are presented with a password screen.  The form on this page does a HTTP POST to authenticate.php. I decided it was time to play a bit so I entered a fake hotmail email address and a fake password and got an error page back called error.php.

While going through the code I found a couple of other interesting artifacts <!–ko –> and data-bind= which indicates that the phishing kit not only uses php but also a javascript technology called knockout.js.

Reporting Office365 Phishing

If you see such an email you can report it to the Microsoft abuse team abuse@hotmail.com. The team has published their GPG key on their website.

More information on how to secure Office365 can be found on Microsoft’s website and on the Office365 Team’s blog.

Protecting Yourself from Office365 Phishing in 3 steps

  1. Activate multi-factor authentication in Office365
  2. Install a multi-factor authentication app (Android or iOS) on the user’s smartphone
  3. Talk to your security team or hire a security consultant to talk about using anti-phishing technologies, incident response and awareness training for the end user.