chat
expand_more

Skype Impersonated in Microsoft 365 Attack

Skype is used prolifically in both casual and business settings. As a result of its affiliation with Microsoft, it is a popular choice for attackers to impersonate in order to trick victims into handing over their Microsoft credentials. In these attacks, the sender...
July 28, 2020

Skype is used prolifically in both casual and business settings. As a result of its affiliation with Microsoft, it is a popular choice for attackers to impersonate in order to trick victims into handing over their Microsoft credentials.

Summary of Attack Target

Platform: Office 365
Email Security: IronPort
Payload: Malicious Link
Technique: Impersonation

Overview of the Skype Impersonation Attack

In these attacks, the sender impersonates an automated Skype invoice notification and uses brief language. The message notes it is for the finance department and contains a link to the supposed invoice.

If a recipient clicks on the link provided, they are brought to a replica of the Microsoft sign-in page which mimics a legitimate Microsoft login page and includes the Skype logo above the sign-in location. It should be noticed though that the URL leads to 'skype-online51877.web.app' which is not associated with either Skype or Microsoft.

Nonetheless, the landing page looks extremely convincing and if a recipient were to enter their credentials, they risk exposing sensitive information found within their Microsoft account. This is particularly nefarious given that these credentials also give access to Office 365 where the attacker can access existing email conversations or use the account to send attacks on coworkers, partners, and customers.

Why the Skype Impersonation Attack is Effective

Within the email, the attacker includes references to the recipient’s organization and a note that the message is for the finance department. Here, the attacker is hoping that even if the recipient is not from the finance department, they will still follow the link or send it to the “appropriate” individuals. By mimicking an official application, attackers hope that the recipient will be less likely to scrutinize the content of the message and be more susceptible to the attack.

In addition, the payload link is concealed in the text. However, when clicked, it reveals the link used is hosted on Branch.io, which is a service that conceals the real link and tracks link usage. This attack is sophisticated in the use of link tracking, as the attacker is able to change the destination of the redirect link based on the collected link usage. In this attack, the first few clicks on the link directed to the Skype phishing page. However, on subsequent clicks on this link, it directs to the real Microsoft website. The attacker does this in order to bypass security measures that crawl links.

Abnormal Security blocks this by detecting specific aspects of the email, including the suspicious links, particularly the additional embedded links, and the unusual sender. We're also able to detect that the body text contains spaces with a size zero font, which is a common pattern within email attacks.

To learn how Abnormal can protect you from Skype and Office 365 attacks, see a demo today.

Skype Impersonated in Microsoft 365 Attack

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

 
Integrates Insights Reporting 09 08 22

Related Posts

B Most Interesting Attacks Q1 2024
Take a look at five of the most unique and sophisticated email attacks recently detected and stopped by Abnormal.
Read More
B MKT499 Images for Customer Blog Series
Discover key industry trends and insights from cybersecurity leader Michael Marassa, CTO of New Trier Township High School District 203.
Read More
B Construction Professional Services QR Code Attacks
Abnormal data shows construction firms and professional service providers are up to 19.2 times and 18.5 times, respectively, more likely to receive QR code attacks than organizations in other industries.
Read More
B 1500x1500 Evolving Abnormal R2
From the beginning, we created Abnormal Security to be a generational company that protects people from cybercrime. Here’s how we’re doing it.
Read More
Blog Cover 1500x1500 Images for SOC Time Blog
Discover the critical tasks that occupy SOC analysts’ schedules beyond mere inbox management, and discover insights into optimizing efficiency in cybersecurity operations.
Read More
B 1500x1500 MKT494 Top Women in Cybersecurity
In honor of Women's History Month, we're spotlighting 10 women leaders who are making invaluable contributions to cybersecurity.
Read More