Published 02 Dec 2019

IT service management company PhishLabs has detected a new phishing campaign that seeks to harvest the login details for administrators of Office365 accounts.

While this is not a flaw in Office365 in any way, it highlights the need for employees to be vigilant when encountering phishing attacks, especially as cybercriminals are becoming increasingly sophisticated in the methods they employ.

The phishing campaign appears to have been distributed to a diverse range of targets, suggesting that the threat actor is not pursuing specific businesses or individuals. The lure functions by impersonating the Office365 and Microsoft brands. The threat actor used a number of validated domains, including an academic institution, to make the lure appear more legitimate and increase the chances of recipients succumbing to the lure, although none of these websites belong to Microsoft. Users that do click the link are presented with a faked Office365 login page, which then harvests any login credentials that are entered.

PhishLabs reports on its website:

“Threat actors target administrative credentials for several reasons. For starters, Office 365 admins have administrative control over all email accounts on a domain. Depending on the current configuration of the Office 365 instance, a compromised admin account may enable retrieval of user emails, or complete takeover of other email accounts on the domain. In addition, Office 365 admins often have elevated privileges on other systems within an organization, potentially allowing further compromises to take place via password reset attempts or abusing single-sign-on systems.”

It adds that a compromised administrator account can also be used to add new accounts. This may be leveraged to misuse single-sign-on systems. It may also have the aim of sending out a new wave of phishing campaigns but this time with the advantage of using the compromised domain’s reputation, which helps to prevent the phishing lure being detected and blocked by email filters. In addition, by using a new account for fresh phishing activity, the threat actor reduces the chances of being detected, such as by an existing user noticing the activity on his or her email account. Multiple validated domains have already been observed launching new phishing campaigns in this way.

PhishLabs recommends being wary of suspicious emails to avoid falling foul of this attack, with particular attention being paid to the following subject lines:

“Re: Action Required!”

“Re: We placed a hold on your account”

Phishing campaigns are not unique to Office365, but the popularity of this leading productivity suite makes it an attractive target for cybercriminals. This should in no way prevent you from adopting Office365, though, because it offers the scaling and flexibility that can allow your business to grow. Nonetheless, it highlights the importance of training your staff to recognise potential phishing attacks and act accordingly. If you prefer, we can even administer your Office365 account for you with our Office IT support, adding or removing users as needed and handling the licensing for you.


Microsoft Office 365 to become Micr...

Microsoft tweaks Office 365 service...

Top tips for working from home with...