A phishing campaign is using a malicious Microsoft Office 365 app to access victims’ accounts without stealing their credentials.

In early December, PhishLabs analyzed a phishing email that impersonated an employee at a targeted organization in its sender address. The email complemented this spoofing tactic by incorporating the name of the targeted organization into the subject line and the title of an internal SharePoint or OneDrive file share.

Clicking on the “Open” button redirected recipients to a link that leverages login.microsoftonline.com, a legitimate hostname controlled by Microsoft, to prompt users to log in to their accounts via the tech giant’s official login page. At that point, the campaign then presented users with a permissions request page for an Office 365 app, which attackers might have created with the help of a compromised organization’s development credentials. Agreeing to those permissions enabled attackers to access a recipient’s inbox, contacts, OneDrive files and other data all without ever directly stealing their account credentials.

Similarities to a 2017 Google Phishing Operation

According to PhishLabs’ analysis, this campaign is similar to an operation that made it onto security researchers’ radar back in May 2017. ThreatPost reported at the time that the campaign spread to users via their contacts and informed them of someone wanting to share a Google Doc with them.

Once they clicked on the “Open in Docs” button, the campaign redirected victims to a legitimate Google OAuth consent screen. Upon authenticating themselves, the operation prompted victims to permit a malicious application named “Google Docs” to access their Gmail and contacts through Google’s OAuth2 service implementation.

How to Defend Against a Microsoft Phishing Campaign

Security professionals can defend against a Microsoft phishing campaign, such as the one described above, by using test phishing engagements to teach their employees about social engineering attacks. For instance, these exercises can help employees learn to look out for grammar and spelling errors that sometimes manifest in phishing emails.

Security teams should also limit users’ access based on what they need to execute their job duties effectively. Implementing this model of least privilege will prevent malicious actors from abusing compromised employees’ unnecessarily high privileges to access critical business resources.

More from

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers.According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately infected…

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

Securing Your SAP Environments: Going Beyond Access Control

Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit…