password phishing

A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and steal credentials belonging to over a thousand corporate employees.

The cyber offensive is said to have originated in August last year, with the attacks aimed specifically at energy and construction companies, said researchers from Check Point Research today in a joint analysis in partnership with industrial cybersecurity firm Otorio.

Although phishing campaigns engineered for credential theft are among the most prevalent reasons for data breaches, what makes this operation stand out is an operational security failure that led to the attackers unintentionally exposing the credentials they had stolen to the public Internet.

“With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attacker,” the researchers said.

password auditor

The attack chain commenced with phishing lures that purported to be Xerox (or Xeros) scan notifications containing an HTML file attachment, that when opened, urged recipients to enter their Office 365 passwords on a fake lookalike login page, which were then extracted and sent to a remote server in a text file.

The researchers noted the JavaScript code for exfiltrating the credentials was continuously polished and refined to the point of evading most antivirus vendors and creating a “realistic” user experience so as to trick victims into providing their login information.

password phishing

To that end, the campaign banked on a mix of specialized infrastructure as well as compromised WordPress servers that were used as a “drop-zone” by the attackers to store the credentials, thereby leveraging the reputation of these existing websites to get around security software.

That the stolen credentials were stored on specific text files within these servers also means that search engines like Google can index those pages and make them accessible to any bad actor looking for compromised passwords with just an easy search.

What’s more, by analyzing the different email headers used in this campaign, the researchers came to the conclusion that the emails were sent from a Linux server hosted on the Microsoft Azure platform using PHP Mailer 6.1.5 and delivered via 1&1 Ionos email servers.

“It is highly likely that the compromised IONOS account credentials were used by the attackers to send the rest of the Office 365 themed spam,” the researchers noted.

To mitigate such threats, it’s advised that users watch out for emails from unknown senders, lookalike domains, and spelling errors in emails or websites; refrain from clicking on suspicious links in emails; and follow password hygiene to secure accounts.

“We tend to believe that when someone steals our passwords, the worst case scenario is that the information will be used by hackers who exchange them through the dark net,” Lotem Finkelsteen, head of threat intelligence at Check Point, said. “Not in this case. Here, the entire public had access to the information stolen.”

“The strategy of the attackers was to store stolen information on a specific webpage that they created. That way, after the phishing campaigns ran for a certain time, the attackers can scan the compromised servers for the respective webpages, collecting credentials to steal. The attackers didn’t think that if they are able to scan the Internet for those pages — Google can too. This was a clear operation security failure for the attackers.”