Get The Latest Insights

By Jessica Ellis | April 1, 2021

Microsoft Office 365 phish are some of the most common threats that reach end users inboxes. Over the course of a two-year period, PhishLabs has observed that O365 phish have accounted for more than half of all reported phish by enterprises – by a significant margin. 
 
Today, we are highlighting a recent O365 campaign, and breaking down the techniques used to enhance the threat actor’s odds of success. This particular lure uses many of the tactics you will see in an O365 phish, and is a good example of what an end user will encounter if one bypasses enterprise security controls and makes it into their inbox.
 
 
This lure poses as a OneDrive notification indicating a document is ready for the victim to view. In the email body the actor uses Microsoft branding to reinforce authenticity, and lists the fake file size, time shared, recipient email address, and a redirect link to the fake document.
 
In this particular campaign the threat actor repeatedly uses the victim’s username to enhance legitimacy. It is incorporated into the subject line, sender’s address, and within the email body.
 
Senders address: [email protected]
 
Subject Line: tprince REF:  JH 4224XT-24PR
 
The URL in the email body is a Google Ads link that the threat actor has manipulated to redirect the victim to a customized phishing site that copies the victim’s legitimate O365 business login. URL tracking systems are commonly abused in phishing attacks because of their ease of creation and ability to evade email filters. 
 
The actor is able to imitate the organization’s real landing page by pulling background images and banners into their phishing site via Microsoft’s APIs. To do this they feed a base64 encoded string at the end of the redirecting URL to Microsoft APIs that will then fetch the proper organization background and banner. If an organization does not have a personalized background, the standard Office365 login page will be shown. 
 
 
The phishing site is hosted at: hxxps://sharepointuploadssig3[.]z13[.]web[.]core[.]windows.net/#eyJlbWFpbCI6InRwcmluY2VAcGhpc2hsYWJzLmNvbSIsInJhbmQiOiIxangzSjRXQ0lvbmlrOUFPN2E5TjVqME1scHBSVWZCbTRwYTBsSkFWMDN4aEJlUFRhVWVSUVFCNDFzMmkifQ==
 
PhishLabs has observed a large volume of Microsoft O365 phish hosted at web[.]core[.]windows[.]net, indicating actors are taking advantage of the legitimacy tied to a Microsoft domain, in addition to the ease in hosting their phishing site on an already established infrastructure. 
 
Once the victim attempts to sign in, their password will be captured and they will be redirected to their actual O365 login page.
 
Additional Resources: