A new phishing campaign appears to be targeting organisations in the security software, manufacturing supply chain, healthcare, US military, and pharmaceutical sectors with the objectives of stealing Microsoft Office 365 and Outlook credentials.

The email campaign has proven to be exceptionally successful so far, delivering convincing phishing emails disguised as voicemail notifications.

The campaign was originally detected in May and is still ongoing with considerable success. The attack chain follows a standard phishing flow, with a couple of atypical techniques that have likely contributed to the campaigns’ success.

It involves a voicemail-themed notification email sent to the victim which contains a HTML attachment which, when opened, will redirect the user to a credential phishing site, the end goal of the threat actor is to harvest Office 365 credentials of the victim.

One of the techniques utilised is the use of HTML attachments, these often bypass email gateway filters because they aren't typically malicious and won’t be unusual to see in a voicemail notification setting. For added authenticity, the "From" fields in the emails are crafted specifically to align with the targeted organisation's name and URLs are custom created to match the targeted company.

Before the victim can access the page, a Google reCAPTCHA check pops up; an increasingly popular technique for evading automated URL analysis tools.

Although the campaign identified is primarily targeting the US presently, it is significantly similar to Office365 themed phishing campaigns identified seen globally. The tactics, techniques and procedures used by threat actors to evade detection continue to evolve, and it is almost certain the techniques used in this campaign will be applied elsewhere.

Microsoft365 is used by more than one million companies, and on average 250 million users, as such it remains an attractive target for threat actors globally.

Threat actors are crafting increasingly sophisticated, highly convincing attacks that many people simply can’t distinguish from legitimate actions.

Microsoft 365-related attacks and phishing campaigns remain a prevalent attack vector because they typically blend in with normal workday activities, and with such a high volume of accounts, threat actors have a better chance of reaching targets with low level security awareness.

These attacks predominantly exploit human vulnerabilities, and it is therefore important to deploy a mix of technical controls as well as tackling the human issue through education and training.

Technical controls include the following:

• Implement anti-spoofing controls (DMARC)
• Consider what information is open source that could be used by a threat actor
• Filter/blocking on known phishing domains and other indicators of compromise
• Implementation of multi-factor authentication

Read our latest blog on phishing, including how to spot the signs and what to do if you have clicked something you shouldn't have: Let’s remind ourselves about phishing...

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).