Area 1 Security recently stopped a sophisticated Microsoft Office 365 credential harvesting campaign targeting C-suite executives, high-level assistants, and financial departments across numerous industries, including financial services, insurance, and retail. Further research and analysis of the activity revealed a much larger operation than originally discovered. This included several additional directly-related credential phishing campaigns that targeted the same industries and positions using sophisticated techniques and advanced phishing kits, to bypass Microsoft’s native email defenses and email authentication.  

The campaigns, which began in early December and continued through February, targeted only select individuals at each company. Unlike the “spray and pray” method often seen with these types of cybercriminal-driven credential harvesting campaigns, this limited activity suggests a more targeted approach. 

A large majority of the phishing attacks stopped by Area 1 Security were headed to financial controllers and treasurers at various international companies. By targeting the financial departments of these companies, the attackers could potentially gain access to sensitive data of third parties through invoices and billing, commonly referred to as a BEC (Business Email Compromise) attack. This enables the attackers to send forged invoices from legitimate email addresses to suppliers, resulting in payments being made to attacker-owned accounts. 

Beyond financial departments, the attackers also targeted C-suite and executive assistants. Targeting high-level assistants is an often overlooked method of initial entry, despite these employees having access to highly sensitive information and an overall greater level of privileges. 

In a few instances, the attackers even attempted to bait newly-selected CEOs of two major companies before any public announcements of this significant senior executive changeover were made. 

By sending phishing messages during this critical transitionary period, the attackers likely hoped to catch the new CEOs off guard while they were focused with managing the new challenges that come with running a business.     

What makes these phishing campaigns most noteworthy were the sophisticated methods employed by the threat actors at every step of the attack, says Area 1 Security. Clever tactics were used to not only craft the phishing messages, but also to send those messages, as well as to obtain passwords. These methods utilized a number of techniques at every step — including legitimate-looking domains and login pages, plus advanced phishing kits — to bypass email authentication and Microsoft’s email defenses.

Juliette Cash, Area 1’s Principal Threat Researcher, notes this attack is still ongoing and that threat actors targeted numerous individuals across various financial departments from a diverse set of companies that spanned several industry verticals.

For the full blog, please visit https://www.area1security.com/blog/microsoft-365-spoof-targets-financial-departments/