PhishLabs has detected attempts to compromise Microsoft Office 365 administrator accounts as part of a broad phishing campaign.
In the campaign, the threat actor(s) delivered a phishing lure that impersonated Microsoft and their Office 365 brand but came from multiple validated domains – an educational institution for example – not belonging to Microsoft. If the victim clicked the link, they were presented with a spoofed login for Office 365.
Administrators often have privileges on other systems within an organisation, potentially allowing further compromises.
Office 365 Admins Singled Out in Phishing Campaign https://t.co/l2qo2Zpoia pic.twitter.com/xyH22DtdSy
— Eleanor Dallaway (@EleanorDallaway) November 18, 2019
We continue to see phishing emails against cloud emails continue to grow with more innovative ways and techniques. The big challenge with these attacks is due to the changing domains, the nature of wording and even the hiding of malicious pages behind captchas makes it extremely difficult, if not impossible, for technological offerings such as email gateways to effectively protect against.
Therefore, user awareness and training will remain the most effective and important step in protecting enterprises against such phishing attacks.
Other controls that can help minimise the impact of compromised credentials include multi factor authentication, and having good monitoring controls in place that can detect and raise alerts wherever suspicious activity is detected.
While a creative campaign, this type of attack is nothing new. Organisations are able to protect against attacks like these enforcing multi-factor authentication (MFA) within their corporate environments. Administrative accounts should be protected using strong MFA, such as hardware tokens or on-device biometrics to protect against more sophisticated OTP attacks. These solutions are currently the best methods by which organisations can protect themselves from such attacks, with MFA proven to prevent 99.9% of account takeovers.