Posted on June 6, 2020 at 12:38 PM
Hackers Impersonate VPNs to Launch Phishing Attacks on Office 365
With a lot of people now working from home, the use of VPNs has increased tremendously. As a result, cybercriminals are taking advantage of the VPN boom to send phishing emails to unsuspected users.
Many organizations rely on VPN technology so employees can safely connect to the corporate portal and work from home. But bad actors are now using it as an attack vector, with some criminals sending phishing emails to trick employees.
Yesterday, security researchers discovered that some hackers are impersonating VPNs to send phishing emails to deceive people into disclosing the Microsoft Office 365 details.
According to an advisory from Abnormal Security, the recent attacks try to impersonate notification email and use it to deceive the intended recipient.
“The attack impersonates a notification email from the IT support at the recipients’ company,” the advisory stated.
The hacker spoofs the sender’s email address to imitate the domain of the target’s organization. However, the link in the impersonating email leads to a new configuration of VPN for home access. Although the link will appear to be related to the targets organization, the hyperlink redirects the user to a phishing website for Office 365 credentials.
Hackers use genuine Microsoft certificate
Although the attack looks like it’s coming from different senders and different IPs, each email has identical payloads, which suggests they are all from the same hacking group.
Based on reports by the security researchers, if the targeted user believed the message was hosted on the Microsoft.Net platform, the landing page of the phishing attack was displayed. It also has similar features with the login website if Office 365.
The Abnormal Security team has advised users on how to stay secure and safe from cyber threats. The team said users should be cautious about messages that request them to change their password. They should also be careful about emails from anonymous senders, requesting users to click on links to get an offer or get a service.
Abnormal Security researchers also said about 15,000 targets have received this deceptive phishing email.
Attackers’ landing page also have genuine Microsoft certificate
The actors behind these phishing emails have done a lot of work to make sure their phishing emails as well as landing pages to the links are very convincing.
The attackers made sure their landing page have a genuine Microsoft certificate by altering the Azure Blob storage platform. Most users look at the Microsoft certification to find out if a website is genuine. So, it becomes easier to convince the user since the phishing landing page has a legitimate Microsoft certificate. Once the users see the legitimate certificate, they will be convinced to enter their Office 365 credentials.
Abnormal Security revealed that the hacking campaign has spread rapidly, and several versions of the phishing emails have been discovered on users’ emails.
Also, users should only reveal their Office 365 credentials on official login pages on the outlook.com, live.com, and Microsoft.com domains and not anywhere else.
Microsoft 365 is now all-access pass for phishers
Phishing emails are the basic ways that cybercriminals use social engineering to plant malware. Hackers impersonate popular brands and companies to lure people who use them. And scammers are increasingly attacking users of Microsoft 365 to deceive them into giving up their credentials.
The credentials of a Microsoft office 365 are highly valued in the dark web since it could give the attacker access or avenue to launch an attack on the corporate portal.
Employees, especially those who are highly placed in the organization, could be privy to highly sensitive company data. It is this group of people the scammers are always targeting. And when the attacker is successful in launching an attack on Office 365, it can give them access to the company’s network.
This form of attack is very dangerous because security systems will find it difficult to detect a hacker who is using genuine credentials.