VPN Impersonation Phishing

In this attack, attackers are impersonating a notification from the user’s organization regarding VPN configuration. However, the email link hosts a phishing website aiming to steal credentials of employees.

Quick Summary

  • Platform: Microsoft Office 365
  • Mailboxes: 5,000 to 15,000
  • Email Gateway: None
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Spoofed Email

What was the attack?

  • Setup: Due to transition to working from home during the COVID-19 pandemic, corporations have become more concerned about online security and privacy. Companies rely on VPNs to connect remote employees to vital company servers as well as to provide secure data sharing.

  • Email Attack: The attack impersonates a notification email from the IT support at the recipients’ company. The sender email address is spoofed to impersonate the domain of the targets’ respective organizations. The link provided in the email allegedly directs to a new VPN configuration for home access. Though the link appears to be related to the target’s company, the hyperlink actually directs to an Office 365 credential phishing website. 
  • Payload: Numerous versions of this attack have been seen across different clients, from different sender emails and originating from different IP addresses. However, the same payload link was employed by all of these attacks, implying that these were sent by a single attacker that controls the phishing website.
  • Result: Should the recipient fall victim to this attack, the user’s credentials would be compromised. Information available with the user’s Microsoft credentials via single-sign on are at risk as well.

Why is this attack effective?

  • Necessity of a VPN while working from home: Because most employees are working from home, a VPN has become a necessity for some work-related tasks. Employees will likely be attuned to any alleged updates to their VPN configuration in order to avoid any issues completing work that requires VPN access.
  • Spoofed email: This email attack impersonated the recipients’ company domain. However, looking at the original email headers, we verify that the emails were not actually from the recipients’ respective organizations.
  • Convincing email and landing page: The landing page is hosted on a Microsoft .NET platform. The landing page looks identical to the Office 365 login website and since the phishing website is hosted on a Microsoft-owned platform, the webpage certificate is a valid Microsoft certificate. However, the URL of this site should not be trusted, and instead, users should only login from their main company affiliated webpage.
  • Concealed URL: The URL used as the anchor text is different from the hyperlink URL. The anchor text contained the users’ company name in text. By hiding the real URL, the user may be unaware that the site they are accessing is not the real Microsoft Office login page.

Related content