Phishers Leverage Malicious Office 365 App to Hijack Users’ Accounts

Malicious Office 365 Attack | Zix

Digital attackers recently launched a phishing campaign that uses a malicious Microsoft Office 365 app to hijack users’ accounts.

A Compromise that Extends Far Beyond Stolen Credentials

In early December 2019, PhishLabs detected a phishing campaign targeting Office 365 users. The operation’s attack emails reel users in by impersonating an employee at the targeted organization. Specifically, the emails leverage spoofing techniques in the “From” and “To” fields, the subject line as well as the name of what claims to be a Q4 report hosted on Microsoft OneDrive.

After clicking on the “Open” button, the campaign redirects the recipient to its payload hosted at the following location:

hXXps://login{dot}microsoftonline{dot}com/common/oauth2/v2.0/authorize?%20client_id=fc5d3843-d0e8-4c3f-b0ee-6d407f667751 &response_type=id_token+code &redirect_uri=https%3A%2F%2Fofficemtr.com%3A8081%2Foffice &scope=offline_access%20contacts.read%20user.read%20mail.read%20notes.read.all
%20mailboxsettings.readwrite%20Files.ReadWrite.All%20openid%20profile
&state=12345Ajtwmd &response_mode=%20form_post &nonce=YWxsYWh1IGFrYmF

This link uses the hostname “login.microsoftonline.com,” a legitimate domain under Microsoft’s control. Subsequently, users who click on the “Open” button and who aren’t previously logged into their accounts will find themselves redirected to the tech giant’s legitimate login page. Only after they authenticate themselves (if they haven’t done so already) do they encounter the next portion of the campaign: a permissions page for a fake Office 365 app.

The malicious add-in, which the campaign’s handlers created on November 25 using the information of a legitimate organization, requests the ability to sign into users’ profiles, read their email and obtain full access to their files, among other rights. In the face of such privileges, users who click on the “Accept” button cannot recover their files simply by changing their login credentials. They would need to disconnect the app from their account first.

Not the First Campaign of Its Kind…

The operation described above uses a similar attack chain as a 2017 Google Docs phishing scam. At the time, someone using the handle “JackSteam” posted on Reddit about how they had received an email prompting them to open a shared Google Doc. Clicking on the “Open” button prompted the user to sign into their account. It’s then that the campaign asked the user to allow

“Google Docs” to access their account. But “Google Docs” wasn’t the actual service offered by the Menlo Park tech giant; it was just a convincing spoof used by another Google user in an attempt to gain access to others’ accounts.

News of the Microsoft campaign arrives at a time when malicious actors are becoming increasingly bold in their efforts to target users of the Redmond-based tech giant. Back in March 2019, for instance, Microsoft’s security team revealed that phishers had stepped up their attacks against users by a whopping 250 percent. It was several months later when PhishLabs detected a campaign in which digital fraudsters specifically attempted to steal Office 365 admins’ credentials in a bid to gain administrative control over all email accounts connected to a domain.

Defending Against Innovative Phishing Campaigns

PhishLabs notes that malicious actors can easily abuse Microsoft’s add-in service to target unsuspecting users with malicious apps. As quoted in its research:

By default, any user can apply add-ins to their outlook application. Additionally, Microsoft allows Office 365 Add-Ins and Apps to be installed via side loading without going through the Office Store, and thereby avoiding any review process. This means that a threat actor can deliver a malicious app from the infrastructure that they control to any user that clicks a URL and approves the requested permissions.

With that said, organizations need to protect their employees against attack emails that use spoofing techniques to lull them into a false sense of security. They can do so by investing in a solution that uses filters to unmask a spoofed “From” header and to block impersonated email messages. That security tool should perform this type of filtering in real-time while allowing legitimate correspondence to find its way to the intended destination.

Learn how ZixProtect can help defend your organization against phishing campaigns that use spoofing techniques.