A new phishing campaign has been observed, whereby malicious actors are targeting Office 365 users.
“An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters" states Microsoft Security Intelligence.
Various top-level domains are being used to launch phishing emails, as the senders are using addresses with variations of the word “referral”, which include com[.]com, often used in in phishing campaigns for typo-squatting and spoofing – for example:
Phishing emails masquerading as 'file share' requests, are using SharePoint-Style lures to reel in unsuspecting users. Requests such as 'Bonuses', 'Staff Reports' and 'Pricebooks', which include a link pointing to the phishing site.
Microsoft have advised: “The emails contain two URLs that have malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page.”
“The second URL is located within the notification settings and leads to a compromised SharePoint site that the attackers use to add legitimacy to the attack. Both URLs require sign-in to continue to the final page, bypassing many sandboxes.”
365 Defender Hunting queries, can be found on the Microsoft GitHub page, to help flag and alert to the aforementioned phishing campaign:
Microsoft-365-Defender-Hunting-Queries/referral-phish-emails.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries · GitHub
Managed cyber security services, delivered by experts
It’s now uncommon, in today’s modern business environment, not to have a Cyber Security partner. Outsourcing your cyber security can offer you peace of mind that your security i...
CyberGuard's Security Operations Centre
At the heart of CyberGuard is our 24/7 UK Security Operations Centre (SOC) team. Experienced, knowledgeable and accredited staff whose main responsibility is to review and investigate alerts generate...
Greater visibility of threats before they strike
New cyber threats are appearing daily, and these threats come in all different shapes and sizes. Unfortunately, there is not one single product that can protect you against every single attack b...