A phishing campaign attacks administrative accounts of Office 365

PhishLabs has discovered a new phishing campaign that targets office 365 administrative accounts. According to the firm, attackers behind the campaign are sending phishing baits that pretended Microsoft and its Office 365 brand.

According to Michael Tyler at PhishLabs, cybercriminals are looking to compromise Microsoft Office 365 administrator accounts to send out phishing lures – thus ensuring the emails come from legitimate, validated domains.

“This is beneficial for attackers because many email filtering solutions leverage the reputation of a sender domain as a major component of determining whether to block an email” he explained. “Well-established domains with a track record of sending benign messages are less likely to be quickly blocked by these systems. This increases the deliverability and efficiency of phishing lures.”

The cybercriminals are using emails from multiple validated domains – an educational institution for example – not belonging to Microsoft. If the victim clicked the link, they were presented with a spoofed login for Office 365. The attackers are using an administrative account for several reasons: Office 365 admins have administrative control over all email accounts on a domain. A compromised admin account may enable retrieval of user emails, or complete takeover of other email accounts on the domain.

With A compromised admin account, attackers can also create new accounts within an organization to abuse single-sign-on systems. They even can send more phishing mail by using the reputation of the organization.

The firm has so far observed these URLs:

http://www.clinicaccct[dot]com/srvt/[email protected]

http://www.aranibarcollections[dot]com/srvt/[email protected]

The subject that hackers are using in the phishing mails are:

• Re: Action Required!
• Re: We placed a hold on your account