There is a new phishing email in the neighborhood, and even though it leads to a fake Office 365 login page, Microsoft struggles to detect it and for days now, it keeps bypassing not just the basic Microsoft email security, but also the premium security – Microsoft Defender for Office 365 (also known as Office ATP).
This phishing campaign, which BitDam detected at first encounter last week, started small and after 24 hours was sprayed all over. BitDam ATP first detected this phishing email in the UK on December 2nd. While I’m writing this blog post it has already spread to the US and other countries, targeting organizations of all sizes and from a variety of industries.
As many other phishing attacks aiming to harvest Microsoft users’ credentials, this attack is sent via email. The email looks like an invitation to a Zoom meeting that contains the link to the video conference. The email messages are all identical and look like this:
While the message might not seem identical to the normal Zoom meeting email invitation (it typically includes a ‘Passcode’ rather than ‘PIN’ and doesn’t include the dial in numbers), it may trick the user. Moreover, even if the user is suspicious, he or she is very likely to go on and click the link once they see the URL looks perfectly real.
Clicking the link leads to a fake Microsoft outlook login page. In all the attacks we’ve identified, this page was hosted on various Google services that allow hosting such as googleusercontent.com or Google Storage API. The phishing page looks like this:
We saw different URLs and hosting websites used in this campaign, but all of them led to web pages that look almost the same, trying to phish for Microsoft credentials.
Not surprisingly, the attackers use various URLs and keep changing them, probably in order to avoid reputation-based engines used by Microsoft and other security controls, which may identify the link after it’s being used for a while or reported as malicious. Unfortunately, in this campaign, some of the URLs were live for 24 hours or more (we didn’t check all of them, but the ones we did were kept live for way too long).
Why is this attack interesting?
It may be hard to believe but we see phishing scams that bypass Office ATP every day. We even see a lot of phishing emails that lead to fake Microsoft webpages which go undetected by Microsoft itself. Unfortunately, this isn’t new either.
So what’s so interesting about this specific campaign? First, its volume. We saw it spreading quickly among our customers that use Microsoft email security worldwide, and Microsoft kept missing it again and again. Secondly, there is a new social engineering angle used here – the attackers could use a clickable button instead of writing the entire URL. They decided to include the URL in the email body, to reduce suspicion as some users wouldn’t click buttons or hyperlinks in unexpected emails. Once the attackers gained the user’s trust early in the ‘journey’, the user is more likely to keep believing and enter the credentials when requested.
Why does Microsoft’s Office ATP miss this attack?
We suspect that Microsoft doesn’t identify this phishing email campaign because Microsoft email defenses are based on statistical models and reputation. As long as the attack is new, and was not widely spread, Microsoft will not detect it. In addition, the constant amendment to the specific URLs used in this campaign, makes it difficult to track it when basing the detection on reputation. Using Google legitimate websites for hosting, makes it even harder.
BitDam, on the other hand, doesn’t base its detection on knowledge about past attacks, which allows BitDam ATP to detect and stop new threats when they’re seen for the first time.
How to avoid such attacks?
The easiest way is to augment the security you get from Microsoft with a dedicated, more advanced email security defense layer that uses a different technological approach and which detects such phishing attacks and other threats that Microsoft tend not to identify when they’re still new.
If you don’t have such a solution in place, it’s recommended to hover the mouse on the link and verify it goes to Zoom website. Many organizations use URL rewrite (i.e. safelinks or urldefense) which prevents users from actually seeing the domain the URL is pointing to. In that case, it is ok to click the link but never enter your Office 365 credentials. If you think about it, why should Zoom need your Office 365 authentication?
And last but not least, if you aren’t sure about a link, you can alway scan it using BitDam online URL scanner and you’ll know if it’s a phishing scam in seconds.