Attackers are cross-checking stolen Office 365 credentials on Microsoft Entra ID in real-time after victims type them into a malicious phishing page.
When users enter their Office 365 credentials into a phishing page, the malicious page makes a call to the Office 365 API to instantly verify the credentials against the organization’s Microsoft Entra ID infrastructure, Armorblox researchers said. Authentication APIs are commonly used by applications and servers to access certain types of user data. The attackers are cross-checking credentials in real-time and accessing the account before the victim even realizes something went wrong and takes steps to fix the situation.
"This immediate feedback allows the attacker to respond intelligently during the attack," Armorblox wrote.
If the verification is successful, the user is redirected to zoom.com, the videoconferencing site. If the entered credentials are incorrect, the victim is redirected to login.microsoftonline.com to potentially hide the attempt to steal credentials. If the credentials are wrong, the user would not be alarmed or suspect a phishing attack. If the entered password text is empty or too short, the user is forced to reenter the values.
“Our threat researchers verified the real-time nature of the site by updating the script with a test login and a dummy password and saw a failed login attempt from Provo, Utah in the Microsoft Entra ID Sign-In portal,” the researchers said.
The phishing scams are likely targeted and not spray and pray
There is no special vulnerability being exploited here—the attackers are just being very creative about how they are using the APIs.
Armorblox analyzed a campaign in which the victim, a senior executive at a large enterprise company, received a message containing a file designed to look like a payment remittance report. When the victim tried to open the file attachment, the victim saw a page resembling the organization’s Office 365 sign-in page with a message, “Because you’re accessing sensitive info, you need to verify your password.” The phishing messages were sent using Amazon Simple Email Service to bypass DKIM (Domai Keys Identified Mail) and SPF (Sender Policy Framework) checks on the mail server.
Armorblox researchers concluded this was part of a very targeted spear-phishing campaign, as the phishing page used the correct domain name. The enterprise had recently changed domains so that the email address and Active Directory used different domain names. The attackers were aware of the change, leading researchers to believe the attackers had put in some effort researching the organization and the executive. The attack page also appears to not have been used all that often, suggesting that attackers are very careful about which individuals they are targeting.
“Our estimates show there have been 120 odd visits to this website globally since the beginning of June. The sparse number shows that the phishing scams are likely targeted and not spray and pray,” Armorblox said.
This was not a fly-by-night, amateur operation. The phishing email was generated via a customizable toolkit. The kit itself appeared to be well-written with thorough code comments with instructions on how to customize the kit to point to a specific target, Armorblox said. It was also global.
Remediation will need to be "thorough."
The attacker “customized a Malay language toolkit to attack an executive based in southwest United States using a domain registered in Singapore that’s hosted in the northwest United States by a hosting company based out of India,” Armorblox said.
Attackers typically make the effort to steal Office 365 credentials because those usernames and passwords may be protecting more than just documents and other files. The organization may be relying on those usernames and passwords to handle authentication for its network environment. If attackers get their hands onto legitimate Office 365 credentials, those attackers also have access to all the sites integrated into Active Directory federated with Azure.
“The attacker is also immediately aware of a live compromised credential and allows him to potentially ingratiate himself into the compromised account before any remediation,” Armorblox said.
Remediation in this case will need to be "thorough," Armorblox said. Administrators will need to look at all outbound emails that have been sent, check to see what kind of changes have been made to accounts (such as auto-forwarding messages to an external mailbox), and review any third-party apps that have been granted access to Office 365. Administrators will also need to go over all activity across all Office 365 properties, such as Word, Excel, and OneDrive.
Organizations need to think about how they protect Office 365 users, since they are highly attractive targets and vulnerable to attack. Compromising Office 365 credentials isn’t an attack technique exclusive to phishing groups. Microsoft researchers believe Russia-linked threat group APT28 is using password-spraying and brute-force to harvest Office 365 credentials belonging to organizations in the United States and United Kingdom directly involved in elections.
APT28 is likely targeting Office 365 in order to be able to move laterally through organization networks or mount espionage campaigns. Microsoft said APT28 unsuccessfully targeted nearly 7,000 Office 365 accounts across 28 organizations between Aug. 18 and Sept. 3.