Serving as yet another proof point of the creativity with which attackers are targeting Office 365 users with new phishing schemes, Armorblox researchers yesterday detailed a new attack technique they found that validates stolen credentials in real time as the victim enters them into the login lure.
The attack in question is part of a very targeted spear-phishing campaign that was discovered operating against an executive at a top 50 American company. It works like this: Attackers send a typical credential phishing email using Amazon Simple Email Service to pass DKIM and SPF checks. Attached to the message is a bogus payment remittance report that looks like a text file with a title along the lines of "ACH Company Name."
Opening that file automatically opens up a look-alike Office 365 sign-on page with the user's email address already pre-entered, with a message that says, "Because you're accessing sensitive info, you need to verify your password."
All of these steps are fairly standard, but what happens next is what differentiates this attack from others. When a victim enters a password into the fake login screen, that triggers a call to Office 365 APIs to actively validate that username/password combination against that organization's Azure Active Directory infrastructure.
"This immediate feedback allows the attacker to respond intelligently during the attack," wrote Team Armorblox in a blog post about the attack. "The attacker is also immediately aware of a live, compromised credential and allows him to potentially ingratiate himself into the compromised account before any remediation."
If the login verification is successful, the user is redirected to zoo ..
Support the originator by clicking the read the rest link below.
