O365 Real-Time response attack on stolen logins

September 16, 2020
office 365 phishing attack fake login pages hacking compromised domain

A new variant of scheming for Office 365 credentials has been observed by cybersecurity experts as they stumbled on this method of the adversary. Unlike the usual exfiltration of credentials through the use of specialized spyware/malware, the method used was now based on the real-time response from the victim upon entering their credentials of the domain-controlled fake login page of Office 365. 

An indepth investigation confirmed that the attack was initiated from an email that was sent through secured email services from Amazon. The email addressed to one of its executives containing a financial receipt delivered to the victim’s new company email address format because of rebranding. With the use of Amazon email services, this bypasses any imposed Email security check as this will be treated by the Secure Email Gateway solutions as a legitimate email. With mimicry of Office 365 authentication page and exploiting its API services, the domain-controlled fake login page has been free to execute while installed antispyware or antimalware program ignored it as this Microsoft API are default whitelisted on the scan. As observed, the intrusion was well planned as the adversary is aware of the company revamping. They were able to show on the fake login page of the Office 365 the new email of the victim, waiting for his password to input. To confirm this new modus, security experts performed a test using a dummy account and password and able to conclude about the attack. 

Cybersecurity experts were able to unravel the threat actors’ ingenuity to work anonymously. They were able to trace that the domain-controlled fake login page was registered with Alibaba in Singapore and was hosted in Utah, United States, which was owned and operated in a service provider India. This is in addition to the use of Amazon SES to deliver the bait from which it bypassed any email security checks. 

This discovery only shows that adversaries have an endless thought of ways to penetrate onto their victims imposed multi-layered security. Exploiting every inch of entry point and vulnerabilities will be tested for them to be able to plan a step or two ahead of any mitigation plan of any security administrator. Leaving the company in a short trance, which means a profit to them while security administrators devise rectification on the affected operation.  

Thus, as always, we are to be reminded to be more agile and vigilant to everything that we have been doing online. This will serve as our main contribution and protection for ourselves and the company to avoid possible intrusion of numerous adversaries. 

About the author

Leave a Reply