Researchers at Israeli cybersecurity firm Ironscales have identified a spear phishing campaign targeting Office 365 users that spoofs the Microsoft.com domain. Several thousand Office 365 mailboxes are known to have been targeted, with around 100 customers of Ironscales having been sent the phishing emails. Those customers span several industry sectors including healthcare, insurance, telecom, manufacturing, and financial services.
Emails spoofing Microsoft are nothing new and Office 365 users are often targeted; however, in this case this is an exact domain spoofing attack, which should see the emails blocked. Exact domain spoofing is where the domain specified by the phisher is an exact match to the spoofed domain. That means that if an end user checks to make sure the domain is legitimate; they may well be fooled into thinking the message is genuine.
The emails appear to have been sent from a Microsoft.com domain to get users to take advantage of a new Office 365 capability that allows them to recover messages that have been accidentally marked as spam or phishing emails – a feature introduced in September 2020.
The messages appear to have been sent by “Microsoft Outlook” and users are urged to click the link in the email that directs them to a security portal where they can review messages in the “Exchange Online Protection” quarantine folder. If a user clicks the link they will be directed to a fake login-page where they are required to enter their Office 365 credentials which are captured by the scammers.
Exact domain spoofing is rarely used in phishing campaigns as most secure email gateway solutions can easily detect these types of emails as malicious. The reason is because most secure email gateways incorporate domain-based message authentication, reporting & conformance (DMARC), and perform checks to ensure that the sender of the message is authorized to use a particular domain. The main purpose of DMARC is to stop these specific types of email impersonation attacks.
The reason why so many of these messages are being delivered to inboxes is because Microsoft servers have not been configured to enforce the DMARC protocol. As such, Microsoft’s EOP and Advanced Threat Protection (APT) anti-phishing measures will not stop these emails from being delivered, even though a Microsoft domain is being used to target Microsoft Office 365 users.
“Any other email service that respects and enforces DMARC would have blocked such emails,” said Lomy Ovadia, Ironscales vice president of research and development. “It remains unknown as to why Microsoft is allowing a spoof of their very own domain against their own email infrastructure.”
That means the 200 million Office 365 users will be vulnerable to this scam if they are only protected by the default EOP that is provided as standard, and even with the paid APT anti-phishing add-on. Why Microsoft is not enforcing DMARC when it is one of the most spoofed brands is a mystery.