Microsoft has warned Office 365 customers that they're being targeted by a widespread phishing campaign aimed at nabbing usernames and passwords.
The ongoing phishing campaign is using multiple links; clicking on them results in a series of redirections that lead victims to a Google reCAPTCHA page that leads to a bogus login page where Office 365 credentials are stolen. This particular attack relies on the email sales and marketing tool called 'open redirects', which has been abused in the past to redirect a visitor to a trustworthy destination to a malicious site. Google doesn't rate open redirects for Google URLs as a security vulnerability, but it does display a 'redirect notice' in the browser.
Pravin Kothari, Senior Vice President of SASE Products at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company says this isn't complex to pull off for hackers:
"This particular incident demonstrates how attackers target individuals on particular cloud platforms, such as Microsoft Office, in order to steal corporate login credentials. It’s not very complex for an attacker to build a webpage that looks like a Microsoft login page and spoof the URL to appear legitimate at a quick glance. As soon as the target enters their login credentials, the attacker can use them and log in from their own device and access corporate resources. Login credentials are often the same for all work apps, so even if the victim is phished on Microsoft Office, the attacker could try those credentials for a myriad of SaaS and IaaS apps to gain access to the organization’s most sensitive and valuable data.
With cybercriminals now heavily targeting cloud platforms and subsequently taking over employee accounts, every organization should be prioritizing cloud security and cloud data protection. While many organizations have implemented strong password controls or Single Sign-on, they have not added adaptive or contextual access control to their access management. Organizations need to implement a security strategy that protects users, devices, and data from the individual endpoint up to the cloud. These phishing attacks are particularly effective on mobile devices. This is because smartphones and tablets have simplified interfaces that hide many red flags indicative of phishing attacks. They can also deliver phishing links through email, SMS, social media platforms, third party messaging apps, gaming and more.
Organizations need to implement a cloud access security broker (CASB) solution that can detect anomalous logins and activity indicative of a compromised account through user and entity behavior analytics (UEBA). A CASB built for today’s threat landscape enables automated zero-trust, adaptive access control, and rights management capabilities. For example, if a user logs out in New York then suddenly logs in from Moscow only a few minutes later, or starts accessing and exfiltrating highly sensitive files, then the organization can create policies to revoke that employee’s access. This can prevent attackers from exfiltrating data or encrypting and locking files as part of an advanced cyberattack such as ransomware."
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a Washington D.C. based provider of cloud identity security solutions emphasis the need for password hygiene:
"Good password hygiene must be part of employee training and cyber security awareness training. The average employee isn’t properly trained in cyber hygiene and best practices, making them easy targets for cybercriminals looking to access an organization's networks quickly and easily via a phishing attack or clever social engineering. By ensuring that employees at all levels of the business are given acceptable training about how to identify malware-laced emails, and other basic attempts at credential theft, can be a significant step to help lessen the success rate of an attack or at least raise an alert. By normalizing training within the culture of the workplace, organizations can help maintain vigilance for these practices long term."