A new phishing campaign has been identified which uses Office 365 admin alerts as a lure to get administrators to click and disclose their login credentials.
A hacker can use phishing emails to obtain Office 365 credentials and gain access to an employee’s email account. That account can be used to send further phishing emails to contacts and colleagues. The hacker also has access to sensitive data in emails and email attachments.
If an admin account is compromised, the attacker can perform a wider range of attacks on the organization. An admin account will allow an attacker to access other mailboxes, read or copy emails from other Office 365 user’s accounts, and mail can be sent from other user’s mailboxes. New mailboxes can also be set up and used exclusively for phishing.
The latest campaign involves sending messages to administrators that require an urgent action to be performed. One email warned of a problem with a mail service that needed immediate correction, another warned the admin about a potential mailbox compromise, and one was intercepted that claimed the organization’s Office 365 subscription had expired.
In all cases, the user was provided with a hyperlink to click to address the problem. The link directs the user to a spoofed Office 365 login on a Windows.net domain where credentials are captured. Since the page is hosted on Azure, it has a valid certificate signed by Microsoft.
Most Office 365 admins should be able to detect the scam for what it is, as the messages are not sent from an official Microsoft domain, although some may make a mistake and accidentally compromise their credentials.
As an additional protection to prevent unauthorized account access, all Office 365 accounts – and especially admin accounts – should be protected by two-factor authentication. If credentials are obtained by a hacker, two-factor authentication should prevent the account from being used to remotely access the account.