Microsoft Office 365 users with admin accounts are receiving phishing emails made to look like they’re coming from Microsoft, according to PhishLabs. The emails are being delivered with the Microsoft Office 365 logo at the top and are coming from validated domains from a real organization’s 365 infrastructure. The sender’s name is “Services admin center” with the subject line reading “Action Required” or “We placed a hold on your account,” which is done to instill a sense of urgency in the receiver. “Well established domains with a track record of sending benign messages are less likely to be quickly blocked by these systems,” stated PhishLabs. “This increases the deliverability and efficiency of phishing lures.” Links are included in the emails and if clicked, they take the potential victim to a fake Microsoft login page. Since the campaign involves using previously compromised Office 365 domains, it is likely that any domains that are compromised in the future will be used to continue launching attacks. No specific industry is being targeted in these attacks.
A great defense solution for this issue is to make use of filtering or alerting users based on domain reputation or age to help employees recognize the fake Microsoft login page. As long as all web requests from a company go through a web proxy server, whenever an employee starts loading a website, the web proxy can check the domain name of the website against a reputation score service. If the domain was just registered in the last month, or if it is known to be a domain of poor reputation or just doesn’t have much reputation yet at all, the web proxy can present the user with a warning page to be cautious of the site. After acknowledging the warning, the web proxy can still let the request go through but mark it as a potential security risk to be reviewed. More information, as well as IOCs, can be found here: