Microsoft has warned Office 365 customers that they're being targeted by a widespread phishing campaign aimed at nabbing usernames and passwords.
The ongoing phishing campaign is using multiple links; clicking on them results in a series of redirections that lead victims to a Google reCAPTCHA page that leads to a bogus login page where Office 365 credentials are stolen. This particular attack relies on the email sales and marketing tool called 'open redirects', which has been abused in the past to redirect a visitor to a trustworthy destination to a malicious site. Google doesn't rate open redirects for Google URLs as a security vulnerability, but it does display a 'redirect notice' in the browser.
Pravin Kothari, Senior Vice President of SASE Products at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company says this isn't complex to pull off for hackers:
"This particular incident demonstrates how attackers target individuals on particular cloud platforms, such as Microsoft Office, in order to steal corporate login credentials. It’s not very complex for an attacker to build a webpage that looks like a Microsoft login page and spoof the URL to appear legitimate at a quick glance. As soon as the target enters their login credentials, the attacker can use them and log in from their own device and access corporate resources. Login credentials are often the same for all work apps, so even if the victim is phished on Microsoft Office, the attacker could try those credentials for a myriad of SaaS and IaaS apps to gain access to the organization’s most sensitive and valuable data.
With cybercriminals now heavily targeting cloud platforms and subsequently taking over employee accounts, every organization should be prioritizing cloud security and cloud data protection. While many organizations have implemented strong password controls or Single Sign-on, they have not added adaptive or contextual access control to their access management. Organizations need to implement a security strategy that protects users, devices, and data from the individual endpoint up to the cloud. These phishing attacks are particularly effective on mobile devices. This is because smartphones and tablets have simplified interfaces that hide many red flags indicative of phishing attacks. They can also deliver phishing links through email, SMS, social media platforms, third party messaging apps, gaming and more.
Organizations need to implement a cloud access security broker (CASB) solution that can detect anomalous logins and activity indicative of a compromised account through user and entity behavior analytics (UEBA). A CASB built for today’s threat landscape enables automated zero-trust, adaptive access control, and rights management capabilities. For example, if a user logs out in New York then suddenly logs in from Moscow onl