Microsoft office applications icons on phone

Phishing Campaign Targeting Microsoft Office Users Are Intensifying

At ANY.RUN malware analysis sandbox, we noticed an increase in phishing scams that direct users to fake Microsoft Outlook login pages, collecting confidential credentials. We decided to analyze one such campaign.

Phishing scam asks users to re-enter credentials twice

Recently we’ve noticed an uptick in phishing scams utilizing Microsoft Office applications and when one of our employees received an email requesting they re-login into their Outlook account, we decided to dig deeper.

Outlook login portal

Navigating to the website showed an Outlook login portal.

We used an interactive online sandbox that allowed us to create a virtual machine in the cloud and securely visit the malicious website. It also recorded network activity, highlighting that the website was sending data to a domain that was flagged as malicious.

When we tried to login (with made-up credentials, of course), the website showed an error indicating that we imputed wrong credentials.

Incorrect password

It makes it look like the user actually entered their data incorrectly and doesn’t arouse suspicion.

Malicious website

Then, the malicious website attempted to steal the data, and we were redirected to a legitimate site where we could log into our real account — which is how these attacks usually go.

How to identify phishing attacks

We can use an HTTPS MITM (Man-in-the-middle) proxy to intercept and inspect secure HTTPS traffic between a client and a server. This is done by creating a proxy server that sits in between the client and server and intercepts all traffic passing through it, and ANY.RUN malware analysis sandbox does this automatically. This then allows the service to decrypt the traffic, inspect it for malicious content, and then re-encrypt and forward it to the server.

Another way to identify a malicious website is by inspecting the source files, like JavaScript code used to collect the data. This is easy using developer tools that come pre-installed in all modern browsers.

For example, let’s consider a similar phishing attack we found that targeted Microsoft Excel users.

Microsoft Excel

Not only were we able to see what data was being stolen using an HTTPS MITM Proxy.

Stolen data

We also looked inside the script and found out the details of how it works. By examining the data.js file it is became clear that among other things, the script checks the number of input attempts before redirecting the user.

Data file

What makes phishing so dangerous

Phishing is one of the main network infiltration techniques and the most common attack vector for enterprises. Bad actors employ various social engineering techniques to trick users into revealing credentials — this is often a  first stage of a bigger multi-vector attack.

The scenario we discussed is just one example. Other common strategies these criminals use include:

  • Sending malicious documents and asking users to download them
  • Initiating conversation on behalf of a colleague and phishing for sensitive data
  • Trying to scare or intimidate the victim by posing as a regulator or police
  • Impersonating tax authorities

How to protect against phishing

The best way to safeguard your company from phishing is to raise the awareness about these attacks among your staff. But there are other safety precautions you can take. Here are the main ones:

  • Set up spam filters. Even if a quarter of phishing emails make it though, they will still stop the remaining 75%.
  • Enforce the policy of using 2FA. This will ensure that even if someone’s login credentials fall into the hands of a hacker, the adversary won’t be able to log into the account.
  • Educate about phishing. Hold workshops that show examples of phishing and teach to look out for the tell-tale signs of fraudulent emails.
  • Cross reference information. Don’t blindly trust information. For instance, in case of a message from a tax regulator it might be a good idea to call them and verify its authenticity before taking any other actions.
  • Use a service to check links and documents for malware. An interactive sandbox like ANY.RUN can help you to verify that a resource doesn’t contain malware or doesn’t communicate to a domain that was flagged as malicious. It’s as easy as pressing a few buttons and submitting a resource in question.

Try ANY.RUN for businessWrite the “CPOMAGAZINE3” promo code at support@any.run using your business email address and get 14 days of ANY.RUN premium subscription for free!

Wrapping up

Analyzing this recent Microsoft Outlook phishing scam was quite enlightening. It is terrifying how advanced and how difficult to detect phishing attacks have become these days. Protect yourself online and be watchful for any suspicious messages, links, and emails. Don’t put yourself at risk of being a target to scammers!

We recorded both tasks in ANY.RUN: