The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) had to issue a warning about the Office 365 subscriptions. The agency said, “CISA continues to see instances where entities are not implementing best security practices in regard to their O365 implementation, resulting in increased vulnerability to adversary attacks.”
In one type of attack, an employee receives an email that contains a malicious link to a document on a domain used by email marketing provider. If the recipient opens the link, the employee is presented with a button asking them to log in to their Microsoft Teams account. The link and webpage impersonate the official Microsoft Office login page to steal their login credentials.
The research by the firm further reads, “Attackers utilize numerous URL redirects in order to conceal the real URL used that hosts the attacks. This tactic is employed in an attempt to bypass malicious link detection used by email protection services.”
The second type of attack involves employees clicking on an email link that points to a YouTube page. The users from this page are redirected twice to another Microsoft login phishing site. The analysis reads, “These attackers crafted convincing emails that impersonate automated notification emails from Microsoft Teams. The landing pages that host both attacks look identical to the real webpages and the imagery used is copied from actual notifications and emails from this provider.”
The research said that the campaigns are more effective on mobile where images take up most of the content. It is difficult for users to verify the URL that is loaded on the device.