New Office 365 Phishing Attack

Posted by Geraldine Hunt on Thu, Oct 22nd, 2020

Cybercriminals are scammers. Like the scammers of old who used ‘the sting’ to trick innocent bystanders to hand over hard-earned cash, modern fraudsters also use inherent ‘trust’ to dupe us. The latest phishing scam demonstrates the psychology of cybercrime very well, but with a few clever twists. In this latest phish, believed to have started on September 21, 2020, scammers turn to their favorite brand, Office 365. The scam takes advantage of users' trust in the challenge-response test, CAPTCHA.

Captcha(ing) our trust

Phishing is an important tool for cybercriminals. The technique is behind 90% of data breaches with 1 in 3 employees clicking on a link in a phishing email. A further 1 in 8 employees will enter login credentials into a spoof site. It potentially takes just a single set of login credentials to execute a cyber-attack against a corporate network.

Phishing relies heavily on manipulating human behavior. One of the ways that human beings interact with computers is using an inherent behavior known as ‘cognitive bias’. We all use biases in making everyday decisions. It helps to make fast choices. This behavior is used by legitimate businesses too. For example, the ‘anchoring effect’ (a form of bias) is used to encourage sales choices. Customers become ‘anchored’ by a single aspect of a product to the exclusion of others, salespeople use this to great effect. 

The CAPTCHA system is used on many websites to check that it is a human being, rather than an automated bot, that is entering information into forms, etc. CAPTCHA has been around for many years, so we are all used to it popping up, asking us to pick the cells in an image that shows a hydrant, car, bicycle, etc. Cognitive bias kicks in as we repeatedly interact with CAPTCHA challenges. The latest Office 365 phishing ‘Captcha’ scam uses our cognitive bias and trust that the CAPTCHA system is a security check, along with a few other clever tricks too.

Here is why the latest Office 365 phishing scam works so well:

An Office 365 phishing triple-whammy

This latest Office 365 phishing scam has several elements that together make it a cyber-attack that is very difficult to detect and prevent. This Office 365 phishing scam has three core elements to it:

Tricking the Detectors

What is particularly clever about this attack is that it uses the security system to defeat itself. The spoof site presents 3-layers of CAPTCHA challenges. The first is a simple “I am a human” check box. The subsequent CAPTCHA challenges ask to pick any box that contains a specific item, e.g. a bicycle. Malware-scanning tools are stopped at the first CAPTCHA challenge and never get to the site that controls the malware; aka the site delivered after successfully passing CAPTCHA number 3. In other words, only human users can get to the spoof site stage.

IP Address Detection

The phishing scam is set up so that only specific, chosen, IP ranges can access the spoof site. If an automated (or manual) attempt at detection is outside of the range of IP addresses of interest (i.e. the corporate victim’s IP addresses) the detection attempt will redirect to the real Office 365 site. This is also extended to checking the geolocation of the victim. This is a very effective way of preventing detection, a form of digital ‘bait and switch’.

Tricking the User

Cognitive bias is perfect for the cybercriminal to take advantage of, and they use it cleverly in this phish. The spoof site looks real, and it uses CAPTCHA therefore it must be real! That is the thinking behind the phishing scam design. If a user is shown security signals, such as CAPTCHA, coupled with a realistic looking site, the user is more likely to have an inbuilt bias that will allow them to feel comfortable enough to enter login credentials.  

A new report from Microsoft points out that:

“...threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets.”

This phishing scam is evidence of this. The cybercriminals behind the scam use layers of protection and trickery to enact their aim of credential theft or install malware.

A Q3 2020 report from Check Point, identified Microsoft was the most popular brand used by cybercriminals to phish users. But others include DHL, PayPal, and Apple. This scam may be Office 365 focused, but cybercriminals change their tactics, and next month it may be another popular online collaboration portal.

Organizations can no longer rely on users to be security aware; these clever tactics use our own inherent behavior against us and layer on multiple techniques to evade detection. Companies across the world should expect increasingly clever phishing scams to continue. Smart solutions such as Web Content Filtering, help to prevent employee access to dangerous websites reducing the likelihood of corporate data breaches and other cyber-attacks.

Content Filtering With WebTitan Cloud

WebTitan Cloud is a DNS based web content filtering solution that provides complete protection from online threats such as viruses, malware, ransomware, phishing and comprehensive content filtering. WebTitan Cloud is a low maintenance solution that can be set up in five minutes to stop your users from accessing inappropriate content online.

Our intelligent AI driven real time content categorization engine combines industry leading anti-virus and cloud based architecture. This makes the WebTitan Cloud content filter an ideal solution for organizations needing maximum protection and minimal maintenance. Webtitan customer testimonials speak for themselves.

Contact our team today and find out how our powerful tools for filtering web content can help your business.