Security experts are warning of a newly discovered phishing campaign targeting Office 365 administrators and using legitimate sender domains to bypass reputation filters.
PhishLabs said it saw malicious emails being sent out as part of the campaign across a wide variety of industries and enterprises. Administrators are targeted for several reasons.
“For starters, Office 365 admins have administrative control over all email accounts on a domain. Depending on the current configuration of the Office 365 instance, a compromised admin account may enable retrieval of user emails, or complete takeover of other email accounts on the domain,” the vendor said.
“In addition, Office 365 admins often have elevated privileges on other systems within an organization, potentially allowing further compromises to take place via password reset attempts or abusing single-sign-on systems.”
Once an administrator is phished the attackers are able to set up new accounts within the compromised organization, which are then used to send out more legitimate-seeming phishing emails.
“This is beneficial for attackers because many email filtering solutions leverage the reputation of a sender domain as a major component of determining whether to block an email,” said PhishLabs. “Well established domains with a track record of sending benign messages are less likely to be quickly blocked by these systems. This increases the deliverability and efficiency of phishing lures.”
By setting up new accounts to carry out this phishing activity, the hackers are also more likely to stay under the radar, it added.
The phishing lures themselves are spoofed to appear as if sent by Microsoft — for example a messaging asking the recipient to sign-in to the Office 365 Admin center to update payment information. However, eagle-eyed recipients would be able to spot that the sending domain itself is not Microsoft but other compromised organizations.
Office 365 continues to grow in popularity: for users and therefore also hackers. Barracuda Networks discovered over 1.5 million malicious and spam emails sent from thousands of compromised accounts in the space of just one month earlier this year.