Blox Tales #3: SharePoint Credential Phishing
Each Blox Tales blog* will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on a credential phishing attempt that impersonates the IT team, requests a reset of the target’s Office 365 password, and guides them to a page designed to look like SharePoint.
*Try saying ‘Blox Tales blog’ out loud a couple of times if you’d like to give your tongue some cardio.
The Attack
A few days ago, we saw a credential phishing email land in a customer inbox. This email claimed to come from the customer’s IT team and told recipients that their Office 365 password had expired. The email included a link where readers could go if they wanted to keep their old password. A redacted screenshot of the email is given below.
Why The Attack Got Through
This email got past existing Office 365 security controls because it didn’t follow the tenets of more traditional phishing attacks.
1. Not a mass email
This was not a bulk email and only a few people in the target organization received it. This ensured that the email wasn’t caught in the bulk email filters of Exchange Online Protection (EOP).
2. Zero-day link and lookalike website
The attacker created a new domain for the link in this email attack, so it got past any EOP filters that were created to block known bad links. The link in the email led to a webpage that was painstakingly made to look similar to a SharePoint page. A screenshot is presented below:
The irony of the footer text - Don’t give your personal information to someone you don’t trust - is not lost on us.
3. Socially engineered
Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The sender name impersonated the customer’s IT team, making the email likely to get past eye tests when people glanced through it amidst hundreds of other emails in their overflowing mailboxes. The title of the email - Notification: Password Update - is relevant, to the point, and is likely to trigger urgency in the reader’s mind (we all know how important our passwords are). Also, language assigned to the CTA (call to action) in the email - Keep Current Password - clearly describes what the email recipient will supposedly get when they click on the link. A more effective CTA than many marketing emails!
How Armorblox Detected The Attack
Armorblox was able to detect the email attack based on the following insights:
1. Language, intent, and tone
Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks).
2. Low communication history
Armorblox detected that the sender email in question had a low communication history with the victim’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.
3. Low domain frequency
Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model detected that the attacker’s domain had not communicated with the target company as a whole.
Based on the insights above, along with many other detection signals, Armorblox flagged the email as a social engineering threat. The email was automatically quarantined based on predetermined remediation actions for the social engineering detection category.
Stay tuned for more Blox Tales! If you’re interested to learn about Armorblox, you can schedule a demo with one of our email security experts.