Skype Impersonated in Microsoft 365 Attack

July 28, 2020

Skype is used prolifically in both casual and business settings. As a result of its affiliation with Microsoft, it is a popular choice for attackers to impersonate in order to trick victims into handing over their Microsoft credentials.

Summary of Attack Target

Platform: Office 365
Email Security: IronPort
Payload: Malicious Link
Technique: Impersonation

Overview of the Skype Impersonation Attack

In these attacks, the sender impersonates an automated Skype invoice notification and uses brief language. The message notes it is for the finance department and contains a link to the supposed invoice.

If a recipient clicks on the link provided, they are brought to a replica of the Microsoft sign-in page which mimics a legitimate Microsoft login page and includes the Skype logo above the sign-in location. It should be noticed though that the URL leads to 'skype-online51877.web.app' which is not associated with either Skype or Microsoft.

Nonetheless, the landing page looks extremely convincing and if a recipient were to enter their credentials, they risk exposing sensitive information found within their Microsoft account. This is particularly nefarious given that these credentials also give access to Office 365 where the attacker can access existing email conversations or use the account to send attacks on coworkers, partners, and customers.

Why the Skype Impersonation Attack is Effective

Within the email, the attacker includes references to the recipient’s organization and a note that the message is for the finance department. Here, the attacker is hoping that even if the recipient is not from the finance department, they will still follow the link or send it to the “appropriate” individuals. By mimicking an official application, attackers hope that the recipient will be less likely to scrutinize the content of the message and be more susceptible to the attack.

In addition, the payload link is concealed in the text. However, when clicked, it reveals the link used is hosted on Branch.io, which is a service that conceals the real link and tracks link usage. This attack is sophisticated in the use of link tracking, as the attacker is able to change the destination of the redirect link based on the collected link usage. In this attack, the first few clicks on the link directed to the Skype phishing page. However, on subsequent clicks on this link, it directs to the real Microsoft website. The attacker does this in order to bypass security measures that crawl links.

Abnormal Security blocks this by detecting specific aspects of the email, including the suspicious links, particularly the additional embedded links, and the unusual sender. We're also able to detect that the body text contains spaces with a size zero font, which is a common pattern within email attacks.

To learn how Abnormal can protect you from Skype and Office 365 attacks, see a demo today.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More