New active phishing campaign targets O365 users
By Adam Oliver, Cyber Security Analyst
A new phishing campaign has been observed, whereby malicious actors are targeting Office 365 users.
“An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters" states Microsoft Security Intelligence.
Various top-level domains are being used to launch phishing emails, as the senders are using addresses with variations of the word “referral”, which include com[.]com, often used in in phishing campaigns for typo-squatting and spoofing – for example:
- wzreffertal.com[.]com
- zrefsfertal.com[.]com
- refferasl.com[.]com
Phishing emails masquerading as 'file share' requests, are using SharePoint-Style lures to reel in unsuspecting users. Requests such as 'Bonuses', 'Staff Reports' and 'Pricebooks', which include a link pointing to the phishing site.
Microsoft have advised: “The emails contain two URLs that have malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page.”
“The second URL is located within the notification settings and leads to a compromised SharePoint site that the attackers use to add legitimacy to the attack. Both URLs require sign-in to continue to the final page, bypassing many sandboxes.”
365 Defender Hunting queries, can be found on the Microsoft GitHub page, to help flag and alert to the aforementioned phishing campaign:
Microsoft-365-Defender-Hunting-Queries/referral-phish-emails.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries · GitHub
- let EmailAddresses = pack_array
- ('zreffertalt.com.com','zreffesral.com.com','kzreffertal.com.com',
- 'wzreffertal.com.com','refferal.comq','refferal.net','zreffertal.com.com',
- 'zrefferal.com.com','refferasl.com.com','zreffesral.com','zrefsfertal.com.com',
- 'irefferal.com','refferasl.co','zrefferal.com');
EmailEvents
- | where SenderMailFromDomain in (EmailAddresses)
- | extend RecipientDomain = extract("[^@]+$", 0, RecipientEmailAddress)
- | where SenderFromDomain == RecipientDomain
- | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId
Managed cyber security services, delivered by experts It’s now uncommon, in today’s modern business environment, not to have a Cyber Security partner. Outsourcing your cyber security can offer you peace of mind that your security i...
CyberGuard's Security Operations Centre At the heart of CyberGuard is our 24/7 UK Security Operations Centre (SOC) team. Experienced, knowledgeable and accredited staff whose main responsibility is to review and investigate alerts generate...
Greater visibility of threats before they strike New cyber threats are appearing daily, and these threats come in all different shapes and sizes. Unfortunately, there is not one single product that can protect you against every single attack b...
Speak to our experts
Looking for smarter and more secure ways to work? Book a free online, or on-site, consultation with our team of specialists to discuss your business goals and objectives. Call us on 0203 988 6699 (London office) / 01299 873800 (Midlands office), or request a call back below.