New active phishing campaign targets O365 users

By Adam Oliver, Cyber Security Analyst

A new phishing campaign has been observed, whereby malicious actors are targeting Office 365 users.

“An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters" states Microsoft Security Intelligence.

Various top-level domains are being used to launch phishing emails, as the senders are using addresses with variations of the word “referral”, which include com[.]com, often used in in phishing campaigns for typo-squatting and spoofing – for example:

  • wzreffertal.com[.]com
  • zrefsfertal.com[.]com
  • refferasl.com[.]com

Phishing emails masquerading as 'file share' requests, are using SharePoint-Style lures to reel in unsuspecting users. Requests such as  'Bonuses', 'Staff Reports' and 'Pricebooks', which include a link pointing to the phishing site.

Microsoft have advised: “The emails contain two URLs that have malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page.”

“The second URL is located within the notification settings and leads to a compromised SharePoint site that the attackers use to add legitimacy to the attack. Both URLs require sign-in to continue to the final page, bypassing many sandboxes.”

365 Defender Hunting queries, can be found on the Microsoft GitHub page, to help flag and alert to the aforementioned phishing campaign:

Microsoft-365-Defender-Hunting-Queries/referral-phish-emails.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries · GitHub

  • let EmailAddresses = pack_array
  • ('zreffertalt.com.com','zreffesral.com.com','kzreffertal.com.com',
  • 'wzreffertal.com.com','refferal.comq','refferal.net','zreffertal.com.com',
  • 'zrefferal.com.com','refferasl.com.com','zreffesral.com','zrefsfertal.com.com',
  • 'irefferal.com','refferasl.co','zrefferal.com');

EmailEvents

  • | where SenderMailFromDomain in (EmailAddresses)
  • | extend RecipientDomain = extract("[^@]+$", 0, RecipientEmailAddress)
  • | where SenderFromDomain == RecipientDomain
  • | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId