Phishers are impersonating companies’ IT support teams and sending fake VPN configuration change notifications in the hopes that remote employees may be tricked into providing their Office 365 login credentials.
Yet another Office 365 phishing campaign
“The sender email address is spoofed to impersonate the domain of the targets’ respective organisations. The link provided in the email allegedly directs to a new VPN configuration for home access. Though the link appears to be related to the target’s company, the hyperlink actually directs to an Office 365 credential phishing website,” Abnormal Security explained.
The phishers are betting on the high possibility that the recipients are working from home and need to use VPN for work-related tasks. They hope the targets will be concerned about the possibility of losing access to company resources and that that concern will override their good sense and anti-phishing training.
The original email headers show that the email has not been sent from the recipients’ organization, but the sender email has been spoofed to say it has.
The phishing Office 365 login page is hosted on a Microsoft .NET platform, with a valid Microsoft certificate, which might be enough to fool some targets.
“Numerous versions of this attack have been seen across different clients, from different sender emails and originating from different IP addresses. However, the same payload link was employed by all of these attacks, implying that these were sent by a single attacker that controls the phishing website,” the researchers noted.
“Should the recipient fall victim to this attack, the user’s credentials would be compromised. Information available with the user’s Microsoft credentials via single-sign on are at risk as well.”