An imitation game – Microsoft 365 phishing campaign

Last year, an unusual phishing campaign was discovered, found to be using organisations’ branded Microsoft 365 tenant login pages to create very convincing credential harvesting pages.

Hosting pages on legitimate Microsoft infrastructure is not uncommon in current phishing campaigns. Yet, in this particular case, the background images and logos matched the Microsoft 365 login page of the targeted organisation. This is not only very worrying but also an indication of just how advanced these attacks have become.

Beyond this, the hackers also used Microsoft’s Azure Blob Storage and Microsoft Azure Web Sites cloud storage solutions to host their phishing landing pages, a tactic used to trick targeted individuals into believing that they are seeing an official Microsoft login page. In recent months, the UN and a number of other NGOs have become victims of a similar campaign that mimics the organisation’s sign-on page. 

This campaign is yet another example of just how targeted and sophisticated phishing attacks are today – and therefore why they are often so successful. Phishing attacks rely on social engineering, convincing victims that they are genuine emails from a legitimate source. As we can see in this case cybercriminals were even credibly replicating customised Microsoft 365 login pages to harvest user credentials. With researchers at Rapid7 reporting that these kind of phishing attacks are growing in popularity, it is essential that organisations take measures to defend against them now.

The measures that need to be taken

To protect against these attacks, businesses must reiterate to their employees to not click on any links or download any files from any emails, unless they are absolutely sure they are genuine, sent from a legitimate organisation and trusted contact. Even then it’s impossible to guarantee an individual will not fall foul to replicas or approaches from hijacked accounts, therefore technology is needed to close the gap.

Organisations using Microsoft 365 must also ensure they implement sophisticated protection software to catch more phishing emails before they hit employee inboxes. There is a common misconception that the built-in security Microsoft 365 offers provides enough protection, but incidents such as this one show that this is simply not the case.

When it comes to the misuse of Microsoft Azure websites, it’s down to Microsoft to verify that an individual or organisation registering to host a website on Azure is legitimate. However, this is operationally challenging at scale. Organisations should protect themselves with ultramodern, multi-layered email security solutions with top threat intelligence that offer in-depth protection from targeted attacks with a range of techniques and technologies.

Multi-pronged protection is the way forward

As phishing attacks have become so sophisticated, the way organisations protect themselves needs to change to halt this advanced threat. As well as stopping phishing emails from reaching the inbox, email solutions need to protect users from malicious links within emails that do make it through. Email link protection, that protects users from links in messages at time-of-click, has evolved to be effective against the latest cross-channel attacks that start over email but quickly move to the web or cloud channels. Effective link protection needs to follow redirects and also scan links in the final target if the final target is a file object. Our LinkScan™ technology can do just that.

In this example, cybercriminals created copies of corporate Microsoft 365 tenant login pages, and a phishing email was the method to take victims to them – they utilised both email and web, but cybercriminals can also use cloud applications as part of their trap.

Increasingly attackers are using legitimate cloud storage applications to store command and control (2C) instructions for malware, or moving malicious links out of email messages and into documents stored in the cloud. Fortunately, ultra-modern multi-layered email security solutions, tightly integrated with web and cloud security (CASB), are effective against these emerging attack techniques.

Protecting one attack vector just isn’t enough when cybercriminals are regularly using cross-channel attacks. To defend from cross-channel attacks, organisations need cross-channel protection. Wherever possible, email, web and cloud application security should be tightly integrated.

Censornet’s consolidated web security, CASB and email security platform can provide your organisation with the protection it needs to defend against the constantly evolving phishing threat. To find out more about how Censornet can keep your business safe, please click here.

For more practical, actionable insights and guidance on securing your organisation from advanced threats, particularly when using Microsoft 365, visit the How to Secure Microsoft 365 hub.