Threat Watch

Phishing With Fake Office 365 Login Page From Email Regarding VPN Configs

Office 365 users are being targeted with a new phishing campaign that mimics notifications from their organization to update their VPN configurations. According to researchers at Abnormal Security, these false emails impersonate their company’s IT department and have been received by around 15,000 inboxes so far. With so many employees working from home, and the hugely increased VPN usage, attackers are taking advantage. The attackers are spoofing the sender’s email to match the domain of their target’s organization and claiming to alert them to a new VPN configuration that they need to apply in order to continue working from home. When the user clicks the link, it redirects them to a fake Office 365 landing page that is designed to steal the login credentials. The landing page is a cloned Office 365 page hosted on the Microsoft owned web.core.windows.net domain, abusing the Azure Blob Storage service that comes with a valid Microsoft certificate to make it difficult to detect the phishing attempt. According to Abnormal Security, there are numerous versions of the attack across multiple clients, but the same payload link is employed in all the attacks, which leads them to believe that a single attacker is responsible for this new scheme.

ANALYST NOTES

These attacks can be thwarted by setting up a custom Office 365 block rule (instructions linked below) or take advantage of the Office 365 ATP Safe Links premium feature to automatically block phishing sites hosted on web.core.windows.net. If the block rules are not configured, then the target can simply hover their mouse over the link, not clicking it, and look at the URL. The official Office 365 login pages are only hosted on one of three domains, Microsoft.com, live.com, or outlook.com–any other domain should not be trusted.

To read more: https://www.bleepingcomputer.com/news/security/office-365-phishing-baits-remote-workers-with-fake-vpn-configs/

Instructions for setting up custom blocking rules can be found here: https://malware-research.org/simple-rule-to-protect-against-spoofed-windows-net-phishing-attacks/