Have You Received a VPN Configuration Notification? It’s Fake!

What’s the matter?

• According to the security company Abnormal Security, phishers are using fake VPN configuration notifications to steal employees’ Office 365 credentials.
• The phishing campaign spoofs a notification email from the IT support at the victims’ company. The sender’s email address is mimicked to impersonate the victim organizations’ domains. Allegedly, the link enclosed in the email directs the targets to a new VPN configuration for home access.
• However, the link didn’t redirect targets to a new VPN configuration. Instead, it landed the recipients to a phishing page hosted on a Microsoft .NET platform.

Attackers like to ape around

• By hosting their malicious resource on the Azure Blob Storage platform, the attackers created a phishing page that looked like a valid Microsoft certificate. This resource suited Microsoft's website design, which appeared similar to the real Office 365 login page.
• Several such attacks have been observed across different organizations, from unique sender emails and originating from discrete IP addresses. Nevertheless, the same payload link was used by all such attacks, indicating that they were sent by a single attacker that handles the phishing page.

Is Office 365 attackers’ favorite?

• In May 2020, attackers were seen impersonating notifications from Microsoft Teams to steal the Office 365 credentials of employees.
• In February 2019, the email security firm, Edgewave, found two phishing campaigns leveraging Microsoft’s Azure Blob Storage to steal users’ Office 365 credentials. By utilizing SSL certificates and the windows.net domain to look legitimate, the attackers created convincing landing pages in both the campaigns.
• The Azure Blob storage was used to host a phishing form to steal Microsoft account details in October 2018. In the attack, the hackers sent out spam emails containing PDF attachments that purported to be from a Denver-based law firm.

What to infer?