The war between organizations and threat actors has become a constant cat-and-mouse game. Attackers are constantly changing their tactics, techniques, and procedures to evade detection. Microsoft recently warned about a spear-phishing campaign that has been ongoing since July 2020. The campaign targets Microsoft Office 365 users. Since its inception, Microsoft Office 365 has become an integral part of millions of businesses. This dependence has created a massive attack surface for cybercriminals.
About the campaign
The hackers changed their obfuscation and encryption techniques every 37 days. This implies that the gang is highly motivated and possesses sophisticated detection evasion mechanisms.
It is surmised that the attackers are attempting to siphon off usernames, passwords, locations, and IP addresses to leverage in future attacks.
These phishing emails can bypass email security solutions.
The latest technique employed by the group entails showing a fake error message as the target types in their password. The credentials are subsequently sent to the group’s C2 server and the victim is none the wiser.
Some Office 365 phishing facts
The topmost threat to corporates comes from Office 365 phishing. During Q2 20201, 51% of credential theft attacks targeted Office 365 accounts.
Around 70% of corporate Office 365 implementations underwent an account takeover.
In the past 12 months, four out of five IT security teams have suffered cybersecurity threats and attacks.
Other spear-phishing attacks
While the above spear-phishing campaign targets Office 365 users, some recent campaigns should be considered too.
The Confucius threat actor, in a spear-phishing campaign, was found leveraging Pegasus-related lures.
The Aggah threat actor launched a spear-phishing campaign against Asian manufacturing industries.
The bottom line
To this day, spear-phishing continues to be one of the most popular attack methods. Moreover, with the increasing sophistication in attackers’ techniques, tactics, and procedures, such emails have become more convincing and effective. While there is no silver bullet that can protect organizations from falling victims to such attacks, organizations can take proactive measures to reduce their attack surface and risks.