Attackers Pick up Nasty Phishing Tactic to Gain Full Access to Users' Data Stored in the Cloud

  • The phishing lure, which starts with a spoofed link, is being widely used by attackers to ensnare users of many other cloud providers.
  • The phishing attack targets Office 365 users with an email that contains a malicious link within.

In early December 2019, security experts began observing a sophisticated phishing scheme targeting Office 365 users. The phishing lure, which starts with a spoofed link, is being widely used by attackers to ensnare users of many other cloud providers.

An overview of the tactic

  • The phishing attack targets Office 365 users with an email that contains a malicious link within.
  • The link takes the recipient to a legitimate-looking fake login page of Office 365 titled ‘login.microsoftonline.com’.
  • To an unsuspected user, the malicious link looks normal and legitimate but secretly pushes an app named officesuited[.]com. This app appears after the link tells Microsoft to forward the authorization token produced by a successful login from the target user.
  • From there, the user is presented with a prompt that says the app is requesting permissions to read email, contacts, OneNote notebooks, access your file, read/write to your mailbox settings, sign in, read the user’s profile, and maintain access to data.

According to PhishLabs, the app that generates this request was created using information apparently stolen from a legitimate organization.

The interesting aspect of the attack is that the attackers are exploiting an ‘add-ins’ feature of Outlook that is built by third-party developers. The feature can be installed either from a file or URL from the Office store.

What does this new phishing tactic mean?

PhishLab’s Michael Tyler sees such attack methods more like malware attacks rather than traditional phishing which tries to trick someone into giving their password to scammers.

“The difference here is instead of handing off credentials to someone, they are allowing an outside application to start interacting with their Office 365 environment directly,” explained Tyler, KrebsOnSecurity reported.

The scary part of these attacks is that once a user grants the malicious app permissions to read their files and emails, the attackers can maintain access to the account even after the user has changed the password.

Furthermore, the malicious app is not visible as an add-in at the individual user level and only the system administrator responsible for managing user accounts can see that the app has been approved.

Bottom line

Microsoft has disabled the malicious app being served from officesuited[.]com sometime around December 19, 2019. It is also continuously monitoring for potential new variations of this malicious activity and will disable them as they are identified.

Apart from this, Office 365 administrators are also required to periodically look for suspicious apps installed on their Office 365 environment.