Beware of These Dangerous Office 365 Spear Phishing Tactics

Lauryn Cash
Written by Lauryn Cash
News and Commentary /
Beware of These Dangerous Office 365 Spear Phishing Tactics

Securing Office 365 email has been in the spotlight since Microsoft revealed that O365 users had been the targets of a spear phishing campaign in effect since July 2020.

Is Microsoft Office 365 email secure? Since its inception, Office 365 has been an integral part of millions of businesses. However, its popularity has created a significant attack surface for threat actors who have continually changed their tactics to evade detection.

Since cloud adoption has surged and Office 365 subscribers have increased to over 50.2 million, stopping phishing attacks on O365 has become increasingly important. Today we’ll look at four types of attacks that target Office 365 users:

  • Attacks that spoof workflows
  • Attacks that exploit business workflows
  • Attacks that impersonate well-known brands
  • Attacks that use unique techniques

Attacks That Spoof Workflows

Attacks that spoof workflows duplicate existing workflows, fooling targets into believing they’ve received legitimate communications.

These attacks are successful because they encourage victims to employ “System 1 thinking” – the brain’s automatic, intuitive approach to dealing with new situations. Unfortunately, when you “click before you think,” you open yourself up to being fooled by phony workflows you swear you’ve seen many times before.

Here are three examples of attacks that spoof workflows.

Wells Fargo Locked Account Notification

This email campaign impersonated a Wells Fargo locked account workflow to steal victims’ banking credentials. Variants of this email attack targeted over 10,000 customer inboxes.

Microsoft skipped spam filtering because it determined that the email was from a safe sender to a safe recipient or was from an email source server on the IP Allow list.

  • Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender for Office 365 (MSDO), Proofpoint
  • Techniques used: Social engineering, brand impersonation, replicating existing workflows, using Hotmail accounts

File-Sharing Notification From Proofpoint

This credential phishing attack impersonated Proofpoint to steal victims’ Google and Microsoft logins, claiming to contain a secure file sent via Proofpoint as a link.

Clicking the link took victims to a page that spoofed Proofpoint branding and contained login links for various email providers. Additionally, the attack included dedicated login page spoofs for Google and Microsoft.

  • Email security bypassed: Microsoft email security
  • Techniques used: Social engineering, brand impersonation, replicating existing workflows, account takeover

Online Shipping Notifications From FedEx and DHL

This double attack impersonated a FedEx online document share and pretended to dispense shipping details from DHL Express. Both attacks aimed to extract victims’ work email account credentials.

Phishing pages were hosted on free services like Quip and Google Firebase, tricking security technologies and users into thinking the links were legitimate.

  • Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender for Office 365
  • Techniques used: Social engineering, link redirects, hosting phishing pages on Quip and Google Firebase, brand impersonation

2. Attacks That Exploit Business Workflows

These attacks are successful because they use legitimate domains to create phishing emails and pages that target a business workflow. This tricks both security software and end users into believing the communication is legitimate. 

Here are three examples of attacks that exploit free software.

Hosting Phishing Pages on Google Firebase

This email attack, sent to at least 20,000 inboxes, pretended to share information about an EFT payment with a link to download an HTML invoice. Unfortunately, when the invoice was opened, the HTML loaded a page with Microsoft Office branding hosted on Google Firebase. The final phishing attempted to extract the victims’ Microsoft login credentials, alternate email addresses, and phone numbers.

  • Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender for Office 365
  • Techniques used: Social engineering, link redirects, HTML hosted on Google Firebase, brand impersonation

Hosting Phishing Pages on Box

In this credential phishing attempt, attackers hosted a phishing site on Box. They sent an email claiming to come from a legitimate third-party vendor and included a link to a secure document. Clicking the link led readers to a page hosted on Box, followed by a credential phishing page that resembled the Office 365 login portal.

  • Email security bypassed: Microsoft email security
  • Techniques used: Social engineering, link redirects, brand impersonation

Phishing Pages Hosted on Webflow and Google Sites

This credential phishing attempt impersonated internal IT teams with an email asking readers to review a secure message sent over Microsoft Teams. Clicking the link led readers to a page designed to look like Microsoft Teams, followed by a credential phishing page that resembled the Office 365 login portal.

  • Email security bypassed: Microsoft email security
  • Techniques used: Social engineering, link redirects, brand impersonation

3. Attacks That Impersonate Well-Known Brands

Credential phishing is a type of cyberattack. Hackers attempt to steal user credentials by posing as a known or trusted entity in an email, instant message, or other written communication channel. A trusted entity can also be a well-known brand, not just a co-worker or vendor.

Here are three examples of attacks that impersonated well-known brands.

Netflix Credential Phishing

In the Netflix credential phishing attempt, attackers sent an email resembling a Netflix billing failure. Clicking the email link took targets to a functioning CAPTCHA page with Netflix branding.

Correctly filling in the CAPTCHA information led to a Netflix lookalike site, complete with a phishing flow that aimed to steal login credentials, billing address information, and credit card details.

  • Email security bypassed: Office 365 Exchange Online Protection
  • Techniques used: Social engineering, link redirects, brand impersonation, replicating existing workflows

Amazon Credential Phishing

In an Amazon credential phishing attempt, attackers sent an email resembling an Amazon delivery order failure. However, the email came from a legitimate third-party vendor account and included a link to update Amazon billing information.

Clicking on the link led victims to an Amazon lookalike site with a phishing flow that aimed to steal login credentials, billing address information, and credit card details.

  • Email security bypassed: Microsoft email security
  • Techniques used: Social engineering, link redirects, brand impersonation, replicating existing workflows

Bank of America Credential Phishing

In the Bank of America credential phishing attempt, an email that impersonated B of A asked readers to update their email addresses to avoid getting recycled. Clicking a malicious link led readers to a credential phishing page that resembled the bank’s home page.

The attack flow also included a page that asked readers for their ‘security challenge questions,’ both to get further identifying information from targets and increase legitimacy.

  • Email security bypassed: Microsoft email security
  • Techniques used: Social engineering, link redirects, brand impersonation, security challenge questions

4. Attacks That Use Unique Techniques

There seems to be no end to the creativity used by hackers to get what they want. Here are three unique techniques used by cybercriminals.

Real-Time Validation Against Active Directory

Cybercriminals validated stolen credentials in real-time when an executive at a top American business typed them into a malicious phishing page. After the user entered their Office 365 credentials into the page, the page called the Office 365 API to instantly verify the credentials against the organization’s Azure Active Directory infrastructure.

  • Email security bypassed: Microsoft email security
  • Techniques used: Social engineering, link redirects

Tech Support Vishing Attacks

In two billing/tech support vishing attacks against Geek Squad and Norton AntiVirus, hackers attempted to steal victims’ credit card details by sending fake order receipts and phone numbers to call for processing order returns.

  • Email security bypassed: Exchange Online Protection (EOP), Proofpoint
  • Techniques used: Social engineering, brand impersonation, replicating existing workflows, vishing (no URLs in email), using a Gmail address

Symantec URL Rewriting

An email hid a zero-day phishing site behind multiple redirects, including one created using Symantec’s Click-time URL Protection tool for URL rewriting.

The email was sent to an employee that focuses on real estate projects. It included a link to a PDF that seemed to contain bid details for an upcoming building project. However, clicking the link led victims through multiple redirects, including one created using Symantec’s Click Time Protection.

The redirects culminated at a page that asked for login details. Again, all pages resembled legitimate OneDrive and Adobe pages in an attempt to pass the targets’ eye tests.

  • Email security bypassed: A spoof of Symantec email security
  • Techniques used: Social engineering, link redirects, brand impersonation

Securing Office 365 Email With Armorblox

As the examples cited in this article indicated, Microsoft native security features weren’t enough to protect users against various types of spear phishing attacks. Augmenting built-in controls with multilayered software like Armorblox adds email security solutions that protect your business and your human layer from fraud and sensitive data exposure.

Want to learn more about spear phishing, Business Email Compromise (BEC), and 0-Day credential phishing attacks? Subscribe to our email updates to stay informed on our advanced threat research.

Join Mailing List

Read This Next