Office 365 users are being targeted with a new phishing campaign that mimics notifications from their organization to update their VPN configurations. According to researchers at Abnormal Security, these false emails impersonate their company’s IT department and have been received by around 15,000 inboxes so far. With so many employees working from home, and the hugely increased VPN usage, attackers are taking advantage. The attackers are spoofing the sender’s email to match the domain of their target’s organization and claiming to alert them to a new VPN configuration that they need to apply in order to continue working from home. When the user clicks the link, it redirects them to a fake Office 365 landing page that is designed to steal the login credentials. The landing page is a cloned Office 365 page hosted on the Microsoft owned web.core.windows.net domain, abusing the Azure Blob Storage service that comes with a valid Microsoft certificate to make it difficult to detect the phishing attempt. According to Abnormal Security, there are numerous versions of the attack across multiple clients, but the same payload link is employed in all the attacks, which leads them to believe that a single attacker is responsible for this new scheme.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in