You are on the Cert-IST public site
Phishing attacks targeting Offices 365 accounts of Companies

Date :September 07, 2020

Publication: Article

Phishing attacks are an important part of today's cyber threats. When the phishing attack is directed against a bank account, a shopping site (Amazon) or a Google account, the motivations of the attacker are clear (respectively): money theft, fraudulent purchases, and hostile digital life takeover. For several years now, there are also phishing campaigns specifically targeting business email accounts and especially Office 365 accounts. In this article we will focus on this phishing category with the help of cases we have investigated and studies published on this topic.

Modus operandi

The attack campaigns we observed had the following modus operandi:

  • An email apparently coming from a colleague is received by the victim. This email asks the victim to click on a link to read the actual message.
  • The link directs the victim to a phishing site that mimics his Office 365 corporate login.
  • If the victim enters his login information, the hacker uses it to logs in to the victim's e-mail account and sends new phishing e-mails by doing a "Reply all" on real e-mails found in the victim's mailbox.

It is therefore a cascading attack, which is mainly propagated inside the company (this technique is often referred to as "lateral phishing"). After a while, the attack is detected and blocked by the company (which blocks the domain names used to host the phishing pages). But it is often difficult to identify all the victims (to ask them to change their password) and the result for the attacker is that he has gained a series of valid emails and passwords. What will he do with these email accounts?

 

Very professional attacks

First of all, on the cases we investigated, we noted that the attack was done in a very professional manner.

The emails and websites are polymorphic: The body of the email varies from one email to the other with text substitutions. For example a sentence such as "Click here to show this message" can become "Click here to view this message" or "Click here to view full message". This is a classic Spam technique that makes the mail difficult to detect automatically. In the similar way the phishing website to which the victim is sent is polymorphic in the sense that it changes its appearance depending on the visitor, to show the logo of his company. The same phishing site actually receives visitors from different companies (the victim's e-mail address being passed as a parameter). So far we have never had access to the server hosting this kind of phishing; it would have been interesting to get access to one of them and to look at how many logos were available, which would have shown the extent of the attack campaign.

Note: This article from Rapid7.com shows the internals of an Office 365 phishing targeting several companies where the login page is customized with the appropriate logo and wallpaper for each company.

Note: This IronScales.com article indicates that 42% of phishing attacks are now polymorphic.

 

The code of the phishing pages is much more sophisticated than an ordinary phishing kit. An ordinary phishing kit (such as the phishing kits sold on the dark-web, and shown for example in this BrightTalk video, or this ISC SANS analysis) is usually a series of very simple PHP (or ASPX) files that chain the following steps:

  • Filtering visitors (to keep robots or anti-phishing specialists away),
  • Collecting the victim's login and password and sending this information to a Gmail, Yandex (popular in Russia) or Protonmail email address,
  • Sending an "invalid login" message to the victim.

The Office 365 phishing we have analysed are much more complex:

  • They are protected by obfuscation techniques, with several layers of encodings to make them unreadable. We saw cases where the https://obfuscator.io/ tool (which is very sopisticated) had been used. There are also cases where we have not been able to jump over this obfuscation step.
  • They are entirely in JavaScript. Rather than several PHP pages, a single HTML page loads in memory the JavaScript code that generates all the logic of the phishing transaction.

 

They are now frequently hosted on legitimate Cloud services. In May 2020, for example, we saw this kind of phishing hosted on FirebaseStorage and Storage.googleapis.com Google Cloud sites (this Trustwave article describes a similar finding). It is also common to find this kind of phishing on Microsoft Cloud (this Rapid7.com article, already mentioned above, describes a phishing hosted on Microsoft blob.core.windows.net and azurewebsites.net servers). This kind of hosting allows the attacker to benefit from Google's or Microsoft's reputation (sites not blocked by web domain filtering solutions), and also from secure configurations they provide (authentic Google or Microsoft certificates, HSTS protocol -HTTP Strict Transport Security- etc.).

 

They sometime used advanced attack techniques such as OAUTH phishing. We haven't seen such attacks on the Office 365 phishings we analysed, but this technique is gaining in popularity. Instead of asking the victim for his login and password, the phishing is an OAUTH windows which asks the victim to allow an App to access his Office 365 account. This technique was first seen in 2015 (see this Trend Micro article about Pawn Storm). There are now open-source toolkits implementing these attacks (PwnAuth from FireEye since June 2019, and O365-attack from MDsec.co.uk since June 2020). It was used in June 2020 in the APT attacks targeting Australia. And Proofpoint reported in late September 2020 that the TA2552 attacker group was using it for phishing attacks.

 

What are the motivations?

To find out the motivations behind the attacks against Office 365, we searched on Internet for articles on this subject.

On the topic of phishing in general (not restricted to Office 365 phishing), there are many articles explaining that the resale of stolen phishing accounts is a lucrative business. For example, this article of December 2017 by Brian Krebs shows the case of a cybercriminal who sold 35,000 accounts in 7 months for a total of 288,000 dollars (an average price of 8 dollars per account). Such accounts are to get access to merchant sites, banking sites or personal accounts (Google, Twitter, etc...) whose market value is obvious.

Similarly, still for non-Office 365 attacks, we found this innovative study from the University of San Diego, which in 2018 contacted 27 services offering on demand email account hacking ("Hacker for hire" service). Only 5 of these services actually performed attacks (1 using malware, the other 4 using phishing) and 3 succeeded in their mission. The targeted account was a Google mail account protected by a 2FA SMS. The price of the service ranged from 100 to 400 dollars. By tracking the techniques used by the attackers, Google estimated that 372 Google accounts had been attacked this way in 7 months. The study concludes that the “on-demand hack” of a Gmail account is a niche market. It impacts around 1 account out of 1 million Google accounts, whereas blind phishing attacks (using "on the shelf" phishing kits) impact 12 million users per year.

Regarding phishing targeting Office 365, a significant number of articles confirm that it is a target of choice for attackers. For example, this article from VadeSecure (specialist in the fight against phishing) confirms this trend and presents the typical lures used in Office 365 phishings: Voice message, Action required, Shared file attack. On the other hand, few studies focus on the motivations of the attackers.

This article of May 2019 from Barracuda.com indicates that the main motivations of the attackers are the following:

  • Execution of CEO frauds (BEC attacks - Business Email Compromises). The attacker wants to take control of the emails account of important members of the company (or financial services) in order to set up a scam such as « Fake Transfer Order ».
  • Monitoring of emails exchanges (by adding a redirection rule on the victim’s email account) in order to be aware of ongoing discussions so as to be able to make opportunistic scams. This could involve passive observation (information gathering), but also active insertion into ongoing conversations.

Barracuda's study is essentially oriented towards financial scams (embezzlement) and does not mention cyber-espionage attacks. But it is clear that compromising an email account is often enough to retrieve strategic information such as the one sought by hackers who carry out APT attacks. In the same way, stealing an email password can sometimes allow access to other infrastructures (when the same password is used on multiple infrastructures).

 

A second study, published in July 2020 by the University of Berkeley, and carried out jointly with Barracuda.com (which provides this digest), analyses more systematically what attackers do with email accounts stolen from companies. This study analysed 159 compromised Office 365 accounts (part of a larger set of 989 compromises that occurred by late 2019). Several very interesting points emerge:

  • Stolen accounts are not only the result of phishing attacks. For example, 20% of the accounts observed in the study used passwords that were already circulating on Internet (from previous data leaks).
  • 37% of the accounts appear to be attacked and then resold to be used by other attackers, while 50% of the accounts are attacked and used by the same attacker. For the remaining 23%, the study could not decide whether the account was resold or used immediately.
  • For the first category (resold accounts) the compromise lasts more than a week, which is logical since this includes the time needed for resale. For the second category, the compromise usually lasts less than 24 hours: the attacker knows what he wants to do and does it immediately.
  • Phishing and spam are mentioned in the Berkeley report as examples of malicious actions carried out with stolen accounts, but Barracuda's digest indicates that this happens only for a small proportion of the accounts (only 7% of accounts were used to send phishing). Barracuda indicates that other attacks could be theft of information to carry out financial scams such as those Barracuda cites in its May 2019 report (already mentioned above).
  • 78% of attackers are only interested in e-mails and do not access the other applications available in Office 365. When they are interested in these other applications, SharePoint is the most watched application (17% of cases).

 

Regarding the theft and resale market for business e-mail accounts, this (barely argued) article from Bullguard.com states that:

  • There is a large offer for the "hack on demand" service. This assertion should be moderated with findings of the University of San Diego study (mentioned above), which considers this to be a niche market.
  • There is also a large demand for buying corporate e-mail accounts, particularly for e-mail associated with accounting services (but only one example is given).

 

Conclusions

Since at least 2018, we have seen very professional phishing campaigns aimed at stealing email accounts of Office 365 users. By extrapolating the data of the studies we have found we can make the following assumptions:

  • Almost 40% of the stolen accounts are resold,
  • The main objective is to carry out financial scams (BEC attacks),

The use of these stolen accounts for cyber-espionage (or other actions with strategic or political aims) is of course possible (we can take as an example the hacking of the email accounts of the American Democratic Party in 2016), but there is no study quantifying the extent of this phenomenon. For the moment, it remains a hidden phenomenon.