Office 365 phishing campaign uses redirector URLs and detects sandboxes to evade detection

Pierluigi Paganini November 18, 2020

Microsoft is tracking an ongoing Office 365 phishing campaign aimed at enterprises that is able to detect sandbox solutions and evade detection.

Microsoft is tracking an ongoing Office 365 phishing campaign that is targeting enterprises, the attacks are able to detect sandbox solutions and evade detection.

“We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering,” reads a message published by Microsoft via Twitter.

“The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc.”

Threat actors behind the campaign leverage redirector URLs with the capability to detect incoming connections from sandbox environments.

Upon detecting connections for sandboxes the redirector will redirect them to legitimate sites to evade detection, while connections from real potential victims are redirected to phishing pages.

The phishing messages are also heavily obfuscated to bypass secure email gateways.

Microsoft experts also noticed that threat actors behind this campaign are also generating custom subdomains to use with redirector sites for each of the targets.

The subdomains always contain the target’s username and org domain name, Microsoft added.

This subdomain is unique in an attempt to evade detection and attackers add it to a set of base domains, typically compromised sites. The phishing URLs have an extra dot after the TLD, which is followed by the Base64-encoded email address of the recipient.

“The use of custom subdomains helps increase the believability of the lure. In addition, the campaign uses patterns in sender display names consistent with the social engineering lure: “Password Update”, “Exchange proteccion”, “Helpdesk-#”, “SharePoint”, “Projects_communications”.” continues Microsoft in a series of tweets published by its official account.

“The unique subdomains also mean huge volumes of phishing URLs in this campaign, an attempt at evading detection.”

Attackers used display name patterns like “Password Update”, “Exchange protection”, “Helpdesk-#”, “SharePoint”, and “Projects_communications” to trick the victims into believing that the messages are from legitimate source and clicking the phishing link embedded within each email.

Microsoft pointed out that its Defender for Office 365 product is able to detect phishing and other email threats and correlates threat data across email and data, endpoints, identities, and apps.

Recently, researchers at WMC Global have spotted a new creative Office 365 phishing campaign that has been inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by security solutions that scans the web for phishing sites.

In July, experts from Check Point reported that cybercriminals are increasingly leveraging public cloud services such as Google Cloud Services in phishing campaigns against Office 365 users.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Office 365)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment