Office 365 Admins Singled Out in Phishing Campaign

Security experts are warning Office 365 administrators of a new phishing campaign that uses sender domains to bypass reputation filters.

According to PhishLabs, malicious emails are being sent out as part of the campaign across numerous industries. For several reasons, administrators are the lead target.

“For starters, Office 365 admins have administrative control over all email accounts on a domain. Depending on the current configuration of the Office 365 instance, a compromised admin account may enable retrieval of user emails, or complete takeover of other email accounts on the domain,” the vendor said.

“In addition, Office 365 admins often have elevated privileges on other systems within an organization, potentially allowing further compromises to take place via password reset attempts or abusing single-sign-on systems.”

Once an administrator has been phished, the attackers can then create new accounts within the compromised organisation, which will then send out more phishing emails that are designed to appear trustworthy.

“This is beneficial for attackers because many email filtering solutions leverage the reputation of a sender domain as a major component of determining whether to block an email,” said PhishLabs. “Well established domains with a track record of sending benign messages are less likely to be quickly blocked by these systems. This increases the deliverability and efficiency of phishing lures.”

Setting up new accounts will allow the hackers to not only carry out this phishing activity, but to also keep them under the radar and undiscovered.

The phishing lures are usually designed to look as though Microsoft sent the email. For example, it may ask the recipient to sign-in to the Office 365 Admin Centre to update payment information. However, those with a good eye would be able to notice that the sending domain itself is not Microsoft, but instead a compromised organisation.

Office 365 continues to rise in popularity for both users and hackers. Barracuda Networks recently discovered more than 1.5 million malicious and spam emails sent from thousands of compromised accounts within the space of a single month earlier this year.

Join us for ESRM on 27th November 2019

As a security professional, have you found that you and others in your company do not always define information and security risk management in a way which identifies it as a core business function in equal prominence with financial performance and customer satisfaction? Join us on 27th November as we discuss how the need to adopt a holistic approach has never been more pressing as the methods by which enterprises collect, share and store data continues to increase in complexity and diversity.