Attackers are attempting to compromise the accounts of Office 365 admins in an ongoing campaign. According to Phishlabs’ Micheal Tyler, criminals are using the infrastructure of legitimate organizations to send emails, spoofing Microsoft or the Office 365 brand.
Sending from a real organization means there’s a lower chance the emails will be blocked by a spam filter. In one of Phishlabs’ cases, the attacker compromised an admin to gain control of an Office 365 installation. This was used to create a new account that could further distribute the campaign. The creation of a new account also served to make the attack more stealthy.
“Threat actors target administrative credentials for several reasons. For starters, Office 365 admins have administrative control over all email accounts on a domain. Depending on the current configuration of the Office 365 instance, a compromised admin account may enable retrieval of user emails, or complete takeover of other email accounts on the domain,” explained Tyler in a blog post.
“In addition, Office 365 admins often have elevated privileges on other systems within an organization, potentially allowing further compromises to take place via password reset attempts or abusing single-sign-on systems.”
Thankfully, the scam emails aren’t entirely convincing. Many admins are likely to spot the inconsistencies, but it’s always possible to slip up when you’re in a rush. In the example email, the user was informed that their Office 365 Business Essentials email was ready.
Office 365 is the most popular brand in phishing attempts due to its massive reach and strong presence in the enterprise. Earlier this month, we saw an Office 365 voicemail campaign. Like this most recent email attack, it’s primary purpose appeared to be stealing more account credentials. As always, enterprises should be wary of such attacks and consider security software to aid in prevention.