Sophisticated Microsoft Spoof Targets Financial Departments

Area 1 Security recently stopped a sophisticated Microsoft Office 365 credential harvesting campaign targeting C-suite executives, high-level assistants, and financial departments across numerous industries. The attackers utilized various techniques to bypass email authentication and Microsoft's email defenses. These methods involved using legitimate-looking domains and login pages, advanced phishing kits, and exploiting inherent weaknesses in email authentication protocols. The campaign targeted specific individuals at each company, with a large majority of the attacks aimed at financial controllers and treasurers across various international companies. By targeting financial departments, the attackers could potentially gain access to sensitive data of third parties through invoices and billing, commonly referred to as a BEC (Business Email Compromise) attack. The phishing messages contained just enough details to lure unsuspecting targets into opening the attachment, which was either a PDF, HTML, or HTM file. Once the target clicked on the "Apply Update" button or opened the HTML/HTM attachments, their browser would be directed to one of several spoofed Office 365 login pages. The attackers used free-use licenses for front-end web development to assist in creating an advanced phishing kit to clone the Microsoft login page.