Outlook Migration Impersonation - Abnormal Security

Outlook Migration Impersonation

In this attack, an attacker impersonates a message from a company’s IT team about migration to a new version of Microsoft Outlook in order to harvest credentials.

Quick Summary of Attack Target

Platform: Office 365
Mailboxes: More than 80,000
Email Security Bypassed: Office 365
Victims: Employees
Payload: Malicious Link
Technique: Impersonation

What was the attack?

Setup: Attackers often attempt to emulate common emails that employees receive and which might give them access to the information they seek. In this case, attackers are leveraging the tech stack migrations that sometimes happen at companies in order to steal Microsoft Office 365 credentials. This particular attack is unique in that we’ve observed it targeted at English- and German-speaking targets, with the text of the email in either English or German, depending on the language of the target.

Email Attack: The attacker impersonates IT services at the victim’s organization. While the display name and sender email address are generic and likely unknown to the recipient, the body of the message conveys that it originates from an official IT department at the victim’s organization. Furthermore, the attack leverages the COVID-19 pandemic by mentioning a new ‘COVID-19 Employee Symptom Tracker” to incentivize concerned recipients to click on the link.

Payload: If clicked, the link embedded in the ‘click here’ hypertext leads to a phishing site unconnected to any legitimate Microsoft domains. The link directs recipients to various websites, and in this case, the URL eventually leads to “https://mail.cornwallhospital.ca/owa/auth/logon.aspx…”. This site impersonates an outdated Microsoft Outlook Web App login page, requesting a username and password. If the login page is filled out, the attacker will now have access to any platform that uses the victim’s Microsoft credentials.

Result: If the recipient does fall victim to this email attack and attempts to login through the phishing page, their credentials will now be compromised. The attacker will have access to any information the victim keeps in any Microsoft-related sites and they will likely be able to steal more information from others by posing as the victim they just compromised.

Why is this attack effective?

Urgency: The attacker says that the recipient has 24 hours to complete the “migration”. The attacker states, “Please do not ignore this notification because it’s very compulsory”. Attackers know that they are more likely to see success when creating a sense of urgency on the part of the recipient: moving quickly means that recipients will let their guard down and are less likely to inspect emails for any red flags.

Convincing email and landing page: Since the attack is written in English and German (depending on the recipient), the attacker appears to have done some research on the specific targets. Additionally, the attack uses a convincing landing page that looks identical to the actual login page for the Outlook web app.

Related content