Microsoft Users Warned About A “Huge Uptick” In Office 365 Spearphishing Attacks

Microsoft recently issued a warning to businesses – cybercriminals are using spearphishing attacks to steal sensitive data. The software company said there has been a “huge uptick” in spearphishing attacks this year.

In a recent incident, Threat Post reported that emails made to look like they were being sent from Kaspersky targeted Office 365 users. The emails were sent from unofficial Kaspersky email addresses such as noreply@sm.kaspersky.com.

The emails prompted targets to click on a link that directed them to spoof websites mimicking Amazon Simple Email Service (SES). Whilst the tokens were genuine, they had previously been stolen.

Although no damage was done on this occasion, Microsoft and Kaspersky have been quick to warn businesses of the threat cyber criminals pose. Spearphishing campaigns are one of the strategies that are most likely to be successful because emails appear genuine.

What is Spearphishing?

Spearphishing is a “social engineering” strategy used by cybercriminals to target specific individuals within an organisation that are most likely to hold account credentials.

Targets typically include personnel that have access to financial, confidential information; C-suite executives and accounts are often prime targets. IT professionals may also be targeted.

The purpose of a spearphishing campaign is to gain access to an individual’s account by impersonating a specific individual or company the target is familiar with. For example, the email may look like it comes from a bank, a supplier, a business partner or a service provider – like Microsoft.

As a matter of fact, Microsoft is often used in spoof emails because they have a large user base. With 50.2 million Office 365 users, cybercriminals have more opportunities to obtain account credentials from a targeted spearphishing campaign than any other cybercrime strategy.

Spearphishing is similar to phishing. But rather than targeting a blanket audience, the tactic is to focus on a specific individual. Cybercriminals handpick their targets by identifying key personnel from business websites and social media profiles such as Linkedin.

The danger with spearphishing campaigns is that emails can appear to be entirely genuine. The only way to identify spoof emails is from the email address. For example, the Kaspersky emails – noreply@sm.kaspersky.com – look disingenuous.

You can see another example in the email below purporting to be from the Halifax bank. The email address does not look genuine and is most likely a spoof email. We don’t know for sure because we didn’t click the link. The first rule of protecting your business network is to distrust any suspicious emails.

The personal nature of these emails is less obvious to spot. An unsuspecting recipient opening an email from a bank saying there is a problem with your account could easily be suckered into clicking the attachment or malicious link embedded into the email.

Spearphishing arguably has a higher rate of success – and that is why social engineering attacks are becoming more prevalent.

What is PhaaS?

The rise in spearphishing attacks has been attributed to the availability of PhaaS (Phishing as a Service) tool on the dark web. PhaaS lowers the skillset cybercriminals need to successfully hack into a business network.

In September Microsoft’s 365 Defender Threat Intelligence Team identified a “large-scale, well-organised” service called BulletProofLink which sells phishing kits such as MIRCBOOT.

It was discovered that the platform gives users access to hacking toolkits containing over 100 email templates that replicate established corporations, banks and insurance companies, together with covert hosting services, email delivery services and Fully Undetected (FUD) links – all for a monthly subscription.

What Can Companies do to Prevent SpearPhishing Attacks

Whilst the most obvious targets for hackers are departmental figureheads, individuals throughout an organisation could be a victim of spearphishing. Cybercriminals only need access to one account to steal information or find a gateway that enables them to use ransomware and hijack your entire system.

It’s worth noting that around 90% of data breaches are caused by human error. Oftentimes, this is because individuals are not aware of the cyber threats posed by malicious actors.

The first step to preventing spearphishing is to provide your staff with cybersecurity awareness training. Your IT security plan should include regular audits, best practices for avoiding phishing attempts and unannounced tests whereby you send mock spearphishing emails.

Spearphishing attacks don’t only occur via email. Employees could receive a phone call from an individual claiming to be somebody else. It’s becoming increasingly important that your team members are able to identify suspicious behaviour.

Learn to Recognise Spearphishing Strategies 

Although spearphishing attacks can be well disguised and subtle, there are several telltale signs including unexpected messages, suspicious-looking email addresses and urgent calls to action.

Download request 

In order to infiltrate a computer and a business network, cybercriminals need to infect a device with malware. The only way to do this is by embedding malicious code in a document or a link.

Therefore, any emails that contain an attachment or a link when you wouldn’t ordinarily expect one, should be treated with suspicion. Attachments are far easier to identify because unsolicited emails from businesses wouldn’t ordinarily include an attachment.

Links present a different dilemma altogether. Whilst a link in an email is unlikely to be harmful, these links take you to a fake website that appears to be the login screen of the company you are subscribed to. Once you enter your login details, malicious actors can either access your actual account login details or tempt you to download an infected file.

A sophisticated spearphishing campaign will direct you to a website that, for all intents and purposes, looks exactly like the official website in design. The giveaway will be the domain name. You can see some examples of spoof emails here.

Vigilant individuals should be able to spot and deflect spearphishing attacks. But again, it all comes down to awareness.

Suspicious email address 

Before taking any action on an email, always check the sender’s address. A spearphishing email will always have some variation – and it often looks peculiar such as featuring too many dots.

Unusual content 

You may receive an email that appears to be sent from somebody in your network. However, the content of the email may not feel right. For example, an abnormal request or a password-protected document that requests the user password to your computer or software account to open.

Malicious Shared Folders

A common strategy cybercriminals use to get targets to open an attachment is to create a fake link to Google Docs, Office 365 or Dropbox. In the shared folder is a document infected with malicious malware.

Again, if the link to a shared folder is unusual, users will be able to detect suspicious behaviour and deflect a potential data breach.

Fake logins

The shared folder straight might also be used to steal login credentials from targeted victims. Hackers create a login page to Office 365, Google Docs or Dropbox on a fake website. When the password is entered they have access to your actual Office 365 account.

Again, the only way to identify fake websites is via the URL. It will look slightly odd such as office365@microsoft.com.uk.

Install IT Security Technologies

In addition to cybersecurity awareness training, businesses are obligated to install appropriate technologies that help to prevent data breaches.

Failing to protect your business network with IT security technologies can land you with a higher penalty in accordance with data protection laws such as GDPR.

There are several types of security software you should consider.

Anti-Virus Software

The most basic data protection software is an antivirus. These programs are designed to identify and quarantine malicious code associated with worms, Trojans and adware.

Anti-virus software works by scanning your device to search for code that is known to be malicious. They are effective for most businesses because the code used by the general hacker will be using code that is already in existence and known by IT security firms.

The only time’s anti-virus software will not be effective is when a new code is programmed and sent into circulation. New codes are only designed by elite hackers – many of whom are employed by state-sponsored entities and industrial espionage.

Anti-Malware and Anti-Spam Software

Anti-malware and anti-spam software perform similar scans of a system but are able to seek out advanced cyberattacks such as polymorphic malware and zero-day exploits.

When malicious code is detected the software prevents you from opening the attachment and quarantines the virus.

Spearphishing Scanning Technology

Email scanning software automatically reviews the content of every email. It can be contentious if you suspect the vendor may have access to your data, but they are critical for detecting viruses, malware and spam.

Crucially, email scanning technologies evaluate email addresses and flag up suspicious addresses, domain names and other email spoofing strategies. They will also investigate links and attached files to determine whether they might contain malicious code.

A component of email scanning is known as anti-personation technology. It can detect subtle anomalies in the design of logos headers and content that may not be noticeable with the naked eye.

Microsoft has built-in anti-impersonation software into Office 365. The Exchange Online Protection (EOP) is a standalone feature that scans emails for “spoofed messages that appear to originate from someone or somewhere other than the actual source” the email appears to come from.

When EOP suspects a spoof email, the user will be notified upon opening the message. If you see a warning sign from Microsoft EOP, that chances are the email is part of a spearphishing campaign.

Anti-spoofing technologies in EOP include “email authentication” that validates the origins of emails using DMARC, SPF and DKIM protocols.

This prevents hackers from using covert email agents and gives the authorities a better chance of tracing cybercriminals. Email clients that cannot be traced and authenticated are blocked.

IT Security and Support in London

Outsourcing your IT security to a reliable IT support service with a good reputation could also be a viable option – especially for SMEs on a limited budget.

In the current paradigm where remote working is the ‘new normal’ business networks are more complex. There is an increasing number of devices endpoints, data and applications – all of which means there are more potential gateways for hackers to access your business network.

In addition, data security regulations require a business to protect customer data. The Information Commissioners Office (ICO) has ramped up prosecutions in recent years.

Reputable IT support companies offer more security solutions and give you access to specialist knowledge you may not get from your in-house team. IT security – particularly cloud computing – is a specialist area of IT that has a shortage of talent.

At MicroPro, we use remote monitoring software to identify suspicious activity, two-factor authentication to add extra layers, correct configuration to prevent vulnerabilities and patch management to ensure all the devices on your network are updated in a timely fashion.

We also offer a 24/7 help desk to accommodate employees that prefer to work unusual hours and individuals that are in a different time zone.

No matter where your employees are, if they get locked out of their account, we have someone on hand to investigate the situation and help them log in to their account. This gives you the added value by preventing downtime.

For more information about our IT security services, or IT consultancy and cybersecurity awareness training, get in touch with a member of our knowledgeable team.