Since June 2017, so-called "Office 365" phishing e-mails have been making the rounds. With over 100 million monthly users, it is not surprising that the Office 365 account has become a popular target for attackers. MELANI has published a newsletter about it (in german, french and italian only). The attack starts with an ordinary phishing e-mail which, for example, pretends that the storage space limit has been exceeded and that you should log in to solve the problem. It goes without saying that the link provided leads to a fraudulent website asking for credentials.
In possession of Office 365 credentials, attackers can do various things. The most common scenario is to set a forwarding rule in the affected e-mail account. Then all incoming e-mail, both internal and external, are sent to an e-mail account defined by the criminals and can be read by them. Valuable targets in this approach are the e-mail accounts of companies. Information obtained in this way can be used to attack employees. Since the attacker also has access to the address book, he can very specifically write to individual employees within the company. Attackers send previously intercepted e-mails and manipulate them in such a way that employees are prompted, for example, to download a released document. To start the download, the Office 365 password (on a manipulated website) must be entered again. Fraudsters work their way step by step through the attacking company to the people they are interested in (CEO, CFO, etc.).
When the desired target person is reached, a very targeted CEO fraud is carried out with the previously stolen data. It is also conceivable that the company will be blackmailed with the stolen e-mail communication or that the stolen data will be resold to other fraudsters. This method can also be used for industrial espionage.
- If the company works in the Office 365 cloud, attackers with the stolen access data also have access to all documents of the company. Securing such data only with a user name and password is extremely negligent. Wherever possible, therefore, activate 2-factor authentication.
- Employees should be sensitized to the fact that defined company processes and precautionary measures must be followed by everyone at all times. For wire transfers, for example, the four-eyes principle with collective signature is recommended.