Researchers are warning of a coordinated attack that is targeting the Microsoft Office 365 login credentials of numerous enterprise organizations. The criminals behind the attack are leveraging hundreds of compromised, legitimate email accounts to target users with malicious documents that are designed to harvest their credentials. The researchers at Abnormal Security state “The widespread use of hundreds of compromised accounts and never-seen-before URLs indicate the campaign is designed to bypass traditional threat intelligence solutions accustomed to permitting known but compromised accounts into the inbox.” The attack starts by convincing email recipients that they received an email that impersonates companies like eFax and directs the user to click on an attachment that redirects the user to an official-looking page designed to harvest credentials. This technique makes detection difficult because as soon as one email is caught, the attackers appear to be running a script that changes the attack to a new impersonated sender and phishing link to continue that campaign.
As with any phishing campaign, when an email is received that contains a link from an untrusted source, the recipient should attempt to verify the email. Since the email is coming from a compromised account, this can be harder to do if the threat actor is monitoring the account. It is also highly recommended that any/all email filter programs are kept up to date. Knowing that some employees will likely see the fake login pages and will have to decide for themselves whether they are legitimate or not, enterprise defenders should emphasize the importance of Multi-Factor Authentication (MFA) to protect accounts even when a password is compromised while continuing to educate employees about how to spot phishing attacks.
Source Article: https://threatpost.com/microsoft-office-365-credentials-attack-fax/162232/?web_view=true