Joerg Habermeier - stock.adobe.c

Check Point uncovers targeted Microsoft Office 365 phishing campaign

Organised criminal campaign exploited Adobe, Oxford University and Samsung web domains to trick users into giving up their passwords

Check Point has discovered a sophisticated campaign of phishing attacks incorporating household names to gain a foothold on corporate networks and harvest login credentials stored on Microsoft Office 365 accounts.

Cyber criminals hijacked an Oxford University email server to bombard targets with malicious emails, which contained links redirecting to a now-redundant Adobe server used by Samsung for the 2018 Cyber Monday sales event – this let the group behind the campaign leverage the façade of a legitimate Samsung domain to trick victims into sharing their Office 365 logins.

“What first appeared to be a classic Office 365 phishing campaign, turned out to be a masterpiece strategy: using well-known and reputable brands to evade security products on the way to the victims,” said Check Point threat intelligence manager, Lotem Finkelsteen.

“Nowadays, this is a top technique to establish a foothold within a corporate network. Access to corporate mail can allow hackers unlimited access to a company’s operations, such as transactions, finance reports, sending emails within the company from a reliable source, passwords and even addresses of a company’s cloud assets.

“To pull the attack off, the hacker had to gain access to Samsung and Oxford University servers, meaning he had time to understand their inner workings, allowing him to go unnoticed.”

Check Point’s researchers were first alerted to the campaign in April 2020, when they spotted suspicious emails sent to victims titled ‘Office 365 Voice Mail’ coming from multiple generated addresses that belonged to legitimate subdomains at the University of Oxford.

These emails claimed an incoming voice message was waiting for the user in their voice portal, and by clicking the enclosed link, users were redirected to a phishing page masquerading as the Office 365 login page.

Finkelsteen revealed that the hackers had found a way to abuse one of the university’s SMTP servers – an application that serves to send, receive and relay outgoing email between senders and recipients. Using legitimate University of Oxford SMTP servers let the cyber criminals effectively bypass the reputation checks that would usually be required by security measures at the sender domain.

He said that this particular campaign reflected, to some extent, trend in the cyber criminal underground to use Google and Adobe open redirects in phishing campaigns to add additional legitimacy to the URLs that are used in spam emails – this has become increasingly popular over the past 12 months.

In this case, redirecting the unwitting victim to a previously used server meant that the crucial link that was embedded in the original phishing email was part of the trusted Samsung domain stem – albeit one that was now being used for malicious purposes.

Finkelsteen explained that in using the specific Adobe Campaign link format and the legitimate Samsung domain, the cyber criminals will have increased the chance that their emails would have slipped unnoticed past many email security solutions that filter out such things on criteria such as reputation, blacklists and URL patterns. In effect, this means that the only barrier to compromise became the user themselves.

Check Point has informed those organisations named in the phishing campaign.

Read more about phishing

  • More than 100 accounts on the NHSmail service were affected by a phishing attack last week, but the health service says no patient data was accessed.
  • A new report highlights the brands which are being most frequently spoofed by cyber criminals in phishing attacks.
  • Malicious actors are taking advantage of coronavirus fears to wreak havoc on cyber security. Check out our guide to learn about phishing and ransomware threats and how to stop them.

Read more on Hackers and cybercrime prevention