Microsoft Office 365: This targeted phishing campaign uses an odd trick to stay hidden

Unknown attackers are looking to to steal usernames and passwords of corporate accounts across multiple industries.
Written by Danny Palmer, Senior Writer

A surge of phishing emails aimed at stealing steal corporate Microsoft Office 365 usernames and passwords is targeting a wide range of organisations and is trying to use captchas as an unusual technique to lull victims into a fall sense of security.

Captchas are usually used by online services as a means of ensuring security by requiring some sort of human input – such as checking a box or identifying particular images – to prevent automated activity by bots. In this case, cyber criminals are apparently harnessing a set of captchas to help their campaign.

The goal of the attack is to steal corporate Microsoft Office 365 usernames and passwords. These could be used to gain access to sensitive information, as a means of compromising the network with ransomware or even launching additional attacks against other companies that have a relationship with the victim organisation.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Industries targeted by the attacks include finance, technology, manufacturing, government, pharmaceuticals, oil and gas, hospitality and more.

The campaign has been discovered and detailed by cybersecurity researchers at Menlo Security and involves phishing emails containing links that direct to a webpage posing as a Microsoft Office 365 login portal. It's likely the attacks are customised depending on the selected target.

But rather than taking the potential victim straight to the fake page, the credential phishing site is obscured behind captchas, requiring the user to confirm they're not a bot.

This could be an effort to make the fake log-in page look more legitimate, because people have got used to a captcha page serving as a security check.

But this isn't the only captcha check used by the attackers, with a second stage asking the user to identify images of bicycles and a third stage asking users to identify the tiles containing a crosswalk. Only then will they be taken to the fake Office 365 login page.

SEE: This worm phishing campaign is a game-changer in password theft, account takeovers

These additional checks helps prevent automated services from reaching the phishing page and potentially identifying it as malicious – and providing the attackers with a better chance of stealing login credentials.

"The campaign is very prolific," Vinay Pidathala, director of security research at Menlo Security told ZDNet. "With the data we have, we would classify this as a successful campaign."

It's uncertain what sort of operation is behind this phishing campaign, but it's likely that it's still active. In order to help protect against this and other phishing attacks, it's recommended that organisations apply multi-factor authentication and that users should be wary of opening links or attachments in emails that come from an unknown source.


Editorial standards