During the last weeks of October, a new phishing campaign that targets executives in an attempt to steal their Office 365 passwords was observed by researchers at McAfee Labs. The phishing emails appear to be a voicemail notification, and emails typically include an attached audio recording that sounds like a voicemail message. The email contains an attached HTML file that will redirect to a phishing website controlled by the attackers. The phishing website appears to be an Office 365 login page, and it auto-fills the targeted person’s email address. If the targeted person enters their password into the login form, the attacker collects the password and the website redirects to the real Office 365 login page to avoid suspicion.
A good defense-in-depth strategy includes a security service for email threat scanning and filtering. Many email protection services will detect these phishing email messages and keep them from arriving in employees’ inboxes. Another important part of defense-in-depth is to use 2-factor authentication for employees to log in to Office 365, VPNs, and other critical entry points into the company’s information systems. It is also possible to detect web requests for phishing pages by using a web proxy that checks domain names for reputation scores, or web page content for anything that looks like an Office 365 login page from the wrong domain. The last line of defense against attackers who gain access to the password of one or more accounts is Managed Detection and Response (MDR), which can detect unusual behaviors, including lateral movement or use of backdoor malware that attackers might place on systems to establish persistent access. Phishing will continue to be a frequently used attacker technique, but good defenses can make it much more difficult for the attackers to succeed.