If your organization subscribes to Office 365 for email, chances are some of your users have received this phishing email within the past couple of weeks. In this instance, the user receives an email from his or her own email account. A hacker then explains that he has cracked the email account several months ago by intercepting a password the user typed into a website they visited. The hacker then shows proof that he knows the password by listing it in the email along with the user’s email address. The first part of the actual phishing email is shown below:
I'm a hacker who cracked your email and device a few months ago.
You entered a password on one of the sites you visited, and I intercepted it.
This is your password from [user's email] on moment of hack: [user's password]”
Naturally, this comes as a shock to the user who then wonders how the hacker was able to send an email using their own email address. The even scarier part is the fact that the user most likely recognizes their password as one they use currently or have used in the past. The user then ponders the option of changing their password immediately until they read the next paragraph.
“Of course, you can and will change it, or already have changed it.
But it doesn't matter, my malware updated it every time.
Do not try to contact me or find me, it is impossible, since I sent you an email from your account.”
At that point, the user most likely contacts their IT department. While the user should not be alarmed by this phishing attempt, the organization’s IT department should be very alarmed. They should be concerned that this email has perpetually breached the security of Office 365 over the month of October 2018 and readily appeared in so many inboxes. This includes organizations who pay the additional licensing fees for Advanced Threat Protection.
So, just how is the hacker able to send an email from the user’s account and know their password? Well, the real answer is they didn’t. This is a classic example of email spoofing and believe it or not, anyone can do it. The easiest way is to go to a website such as www.deadfake.com which allows you to send free anonymous fake emails to anyone, impersonating anyone you like. That’s right, email your fellow employees using your boss’s email address or send an email to your friend from the President of the United States. There are many sites like this such as www.sendanonymousemail.net and www.anonymailer.net.
Naturally, this method does not work well for mass email attacks. For criminals wanting to scale their spoofing efforts, they often obtain a Unix computer that is set up with mail services. They then forge a “from address” with a line of code such as:
Mail –a From:firstname.lastname@example.org
That creates a message that says “email@example.com” in the “From” field. They then type a subject line and message content.
But what about the password you may be wondering? How could they have possibly obtained this information? Well, they certainly didn’t intercept it from a website you visited. The listed password is an actual password the user had at some point that the hacker obtained from a password dump located on the dark web.
Some people who have received this phishing email report having used the password at one time on LinkedIn which had over 117 million passwords stolen two years ago. When these large sites such as LinkedIn or Yahoo suffer a breach, the millions of user passwords that are confiscated are sold, circulated and used for years in instances such as this.
This is why you should NEVER use the same password for all of your websites and why you should change your password at regular intervals throughout the year. So, in actuality, the hacker does not know anything about you other than an old password that hopefully is completely outdated. He certainly doesn’t know the detail that the email then goes on to explain.
“Through your email, I uploaded malicious code to your Operation System.
I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to Internet resources.
Also, I installed a Trojan on your device and long-time spying for you.
You are not my only victim, I usually lock computers and ask for a ransom.
But I was struck by the sites of intimate content that you often visit.”
The hacker goes on to try and scare the user into thinking he has screenshots of inappropriate web content the user visited. He threatens to send these screenshots to all of the user’s contacts within 48 hours unless the user pays him $892 in bitcoin to a Bitcoin Wallet which he then lists.
One interesting point about bitcoin wallets is that you can view the current balance of any bitcoin address and monitor it (just do a web search for sites that allow you to do this). At the time of writing this article, this particular bitcoin account had 26 transactions over the past three days. This hacker undoubtedly is using multiple BTC wallets to spread his attacks.
While these types of phishing attacks are harmless, they can cause a great deal of apprehension and unease with users (especially if they indeed have involved themselves with inappropriate web content). They also consume time and resources from your IT support team who are more than likely stretched in several directions.
This is why it is vitally important to use a third party spam filtering solution with Office 365. Using a full-fledged email security solution built from the ground up from a dedicated vendor to supplement the basic spam filtering services provided by Office 365 is something more and more organizations are doing. Why? Because they must in order to protect their users and their reputation. Office 365 security is not enough as so many hackers continually probe the O365 defences on a daily basis.
Since 1999 SpamTitan has been building threat intelligence to dramatically reduce the risk of a successful attack on your organization. With SpamTitan you’ll significantly reduce the risk of new variants of malicious email from entering your network. Unlike Microsoft, security is all we do!
Are you concerned with Phishing and Malware in Office 365? Get a free personalized demo and see how SpamTitan can help secure your Office 365 environment today.
Sign-up for email updates...
Call us on USA +1 813 304 2544 or IRL +353 91 545555Contact Us