Abnormal Attack Stories: Spoofed Microsoft Security Alert
July 22, 2020
In this attack, attackers spoof an internal email from the recipient’s company regarding a security alert in order to steal user account credentials.
Quick Summary of Attack Target
Platform: Office 365 Email Security: Proofpoint Mailboxes: 15,000 to 50,000 Payload: Malicious Link Technique: Spoofed Email
What was the attack?
Setup: Microsoft provides security alerts in the case there may be fraudulent logins on the user account. Users are usually able to trust these emails due to the source being from a trusted brand. As the email relates to email security, the recipient may unconsciously trust the email solely based on subject matter. In this attack, attackers are leveraging this trust by impersonating a security alert.
Email Attack: This email impersonates a security notification email for the recipient’s Microsoft accounts, ostensibly from the company’s email security team. The message claims that there was a suspicious sign in, and the user should review their account activity via the link provided.
Payload: Instead of directing the recipient to the sign-in activity page, it directs what appears to be a Microsoft login page hosted on a site likely controlled by the attackers. The recipient’s professional email is already input, so all the recipient has to do is enter their password. With less steps to entering user account credentials, its more likely the recipient will fall for the attack.
Result: If the recipient inputs their login credentials, the attacker can utilize this information to compromise the recipient’s account.
Why is this attack effective?
Urgency & Concealed URL: The email presents itself as a security notification, claiming there may be a suspicious login from the recipient’s account. This notification – that the recipient’s account might have been breached – is more likely to cause a recipient to act quickly and overlook any red flags. Thus, the recipient may not realize that both the message and the link are fraudulent.
Spoofed Email: The attacker has successfully spoofed the email domain of the recipient’s company. This means that the recipient is less likely to realize that the message is malicious, as they will believe it has originated from a safe, internal source.
Convincing Landing Page: The landing page for this attack impersonates the official Microsoft login page. By impersonating a security notification email, the attacker gains a sense of credibility to the recipient. In notifying a case of a “bad” login, the user believes the email to be “good”.