07/12/2021 | News release | Distributed by Public on 07/12/2021 13:57
Starting July 8th, we've detected a new phishing email campaign targeting many of our partners and end-users worldwide, trying to steal not just their Microsoft 365 credentials, but also their credit card details. The more disturbing fact about this campaign is that it bypassed a variety of email security solutions used by many managed service providers (MSPs). Some of these security products are coming from leading vendors and claim to secure Microsoft 365 from advanced threats.
Traditionally, phishing campaigns that steal Microsoft user credentials make excuses such as 'XXX shared a document with you' or 'A new voicemail is waiting for you', luring users to click a malicious link and enter their Microsoft 365 credentials into a fake login page.
In this case, planning to steal credit card details on top of the basic Microsoft 365 credential theft, the bad actors surpassed themselves and built an entire journey to fool victims. Here is how it works:
An investigation by Datto revealed that each user information entrance triggers a separate request, informing the attacker about the new phished information piece:
This way, even if a user starts suspecting at some stage, the entered data is already sent to the threat actor. Once the attackers gained the user's trust early in the 'journey', the user is more likely to keep believing and enter the credentials when requested.
The threat actor in this case combined social engineering techniques-an approach that makes users trust the email and its sender along the journey-with tricks that allowed the email to bypass security measures. In addition, the attack was planned in a way it ensures the collection of information at each and every step. As you can imagine, even partial information is valuable for bad actors.
Stay informed about ongoing threats and techniques used by bad actors. This is indeed a sophisticated one that many email security solutions don't stop and you should make sure you and your employees or end-users are aware of it.
In addition, it's recommended to hover your cursor over the link to verify it goes to a real Microsoft website. Many organizations use URL rewrite (e.g. Safe Links or Url Defense) which prevents users from actually seeing the domain the URL is pointing to. In that case, it is ok to click the link but never enter your Microsoft 365 credentials nor your credit card details.
Similarly, when something looks suspicious, users should check the sender's actual email address by hovering over it. If it's not someone they know, it's advised not to click the link.
And last but not least, make yourself a rule-if an email offers you something you weren't expecting, start suspecting!
Sender Address: [email protected]
Return-Paths:
Phishing domains: