In a recent report by Sergiu Gatlan at Bleeping Computer, he covers the details of a phishing campaign being tracked by the Security Intelligence Team at Microsoft. The campaign, which aims to trick targeted individuals into typing their Microsoft account password into a fake Microsoft logon page, is attempting to utilize multiple methods to evade detection as well as analysis. One such technique is the use of multiple redirections in a chain with a unique subdomain for each target, using the recipient username and the organization name in the subdomains. This results in a wide variety of unique URLs that are harder for defenders to share with each other and proactively block in network security controls. Microsoft also noted that to increase the appeal of the subdomain, it would include a random list of strings such as “Password Update”, “Exchange proteccion”, “Helpdesk-#”, “SharePoint”, or “Projects_communications” in an attempt to have an increased click rate to the redirect. The redirect subdomain also can detect sandboxes to evade analysis. If a sandbox is detected, it sends traffic to a legitimate site. Once the landing page to the phishing site is collected, the heavily obfuscated page adds another step to prevent more in-depth research.
Analyst Notes
These sophisticated phishing campaigns are becoming more common as the availability of sandboxes has grown, and attackers gain insight into how to detect and avoid them. Knowing that some employees will likely see the fake login pages and will have to decide for themselves whether they are legitimate or not, enterprise defenders should emphasize the importance of Multi-Factor Authentication (MFA) to protect accounts even when a password is compromised while continuing to educate employees about how to spot phishing attacks. While automated analysis will fail in triaging the final page fully, using other manual options will better understand what the phish is attempting to extract from a user. Advice such as this requires a layered approach that starts with detection or user training to alert IT, or their internal security contact is an excellent first step. However, it is also hard to scale, so having controls to monitor and detect unusual user activity and collecting web traffic will allow for triaging without a user’s notification. Having DNS traffic logged will also work well to catch suspicious subdomains. It may be helpful for defenders to receive an alert whenever their company name is used as a subdomain to a base domain that has never been seen before.
References:
We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering. The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc. pic.twitter.com/OiAHBfMNiD
— Microsoft Threat Intelligence (@MsftSecIntel) November 16, 2020
https://www.bleepingcomputer.com/news/security/office-365-phishing-campaign-detects-sandboxes-to-evade-detection/
