PhishLabs has discovered a new phishing campaign in which hackers try to compromise Microsoft Office 365 administrator accounts.
According to the cybersecurity firm, the threat activists launched a phishing lure that mimicked Microsoft and its Office 365 brand. However, to make its appeal more legitimate, cybercriminals have used multiple domains. validated not belonging to the software giant, including a domain belonging to a training institute.
Victims who clicked on the link in the phishing emails were assigned a spoofed connection to Office 365, allowing the hackers to collect their user credentials.
PhishLabs observed that the campaign was targeting a large number of companies and industries, which meant that the partner companies were not targeting any specific company or industry.
Administrator accounts
The reasons that threat actors have targeted administrative credentials are multiple, including the fact that Office 365 administrators exercise administrative control over all email accounts in a domain. .
Depending on how Office 365 is configured by an organization, a compromised administrator account could allow an attacker to retrieve users' email or even fully resume other email accounts on the domain. Office 365 administrators often have elevated privileges on other systems within an organization as well, which could compromise the security of other systems through password reset attempts or crashes. abusing single sign-on systems.
By compromising an administrator account, attackers can also create new accounts within an organization to misuse single sign-on systems or exploit the reputation of a compromised domain for launch. A new wave of attacks.
During the campaign discovered by PhishLabs, the attackers were able to gain some administrative control over the sender's Office 365 installation. After that, they created a new account that was used to distribute the campaign and hackers often use this technique to avoid detection.
To avoid falling victim to this latest phishing campaign, PhishLabs advises users to avoid opening suspicious emails with the subject "Re: Action required!" Or "Re: We have blocked your account.