The COVID-19 global pandemic has caused many businesses and home users to adopt and adapt to new ways of doing business—including migrating to cloud-based software as a service (SaaS). For some, the rapid and unplanned transition has been bumpy. For cybercriminals, on the other hand, it’s been a boon of opportunity on multiple fronts as they look to exploit a growing number of connected devices, a heavy dependence on digital systems for all facets of life, and more people needing to operate unfamiliar and complex technology.

Recently, the Accenture Security Cyber Investigation and Forensics Response (CIFR) team has seen operators of a well-organized and long-running credential-harvesting campaign update their phishing techniques with what appears to be a calculated attempt to take advantage of the rapid adoption of cloud-based SaaS. Their new techniques are designed to both evade detection and increase the likelihood of a successful phish.

The unfolding of a new phishing campaign

After executing a successful phish or password attack against a user and taking over an account in a Microsoft® Office 365™ tenant environment, the threat actor harvested a contact list for targets and, masquerading as a known, trusted third-party, sent an email to the list. Because the email came from an account within the Office 365 platform, it inherited the standard and expected user trappings, such as stored signatures. Additionally, based on extended mail headers, the recipient and the recipient email system would have seen the incoming mail as originating from the Office 365 tenant space. These headers can lend an added air of legitimacy to the mail, thus helping to bypass filtering and human scrutiny.

This campaign’s carefully crafted emails further challenged users’ abilities to discern the phish. As shown below, the threat actors themed the lure as a secure, encrypted email. They did so by basing the message on the legitimate secure email provider ZIX[1], which generally requires a user to click on a link in an email.

Figure 1 Example ZIX-themed phishing email. Copyright © 2020 Accenture. All rights reserved.

 

In this case, the “View Message” link was rewritten by the Advanced Threat Protection (ATP) SafeLinks[2] capability that had been configured in Office 365. SafeLinks is a URL rewrite service provided by Microsoft to help protect users from malicious URLs. 

Because URLs can get unwieldy, there are several services that map a shorter, more user-friendly URL to a full original URL. Here, the original URL—before it was encapsulated in SafeLinks—was to a “1drv.ms” domain, which is a URL from a legitimate URL shortening service (also provided by Microsoft). URLs of this form are mapped to cloud instances of Microsoft OneDrive™.

This shortened URL is another strategy that may bypass URL filters. Not only did this URL go to a Microsoft OneDrive, but it was a quick link to a Microsoft OneNote™ stored on the OneDrive.

Figure 2 Screen capture of threat actor OneNote hosted in OneDrive. Copyright © 2020 Accenture. All rights reserved.

 

The OneDrive hosted a loosely themed page with yet another link, which redirected the user to a standard “phishy” domain hosted on a dynamic hosting provider. In this case, Unified Layer provided the IP and the domain is registered by SoftLayer. Unwary users, however, may not have noticed the domain at all because the threat actors presented them with a familiar-looking login prompt.

Figure 3 Sample phish login prompt hosted on the malicious web server. Copyright © 2020 Accenture. All rights reserved.

 

Figure 4 Sample legitimate Microsoft login prompt. Copyright © 2020 Accenture. All rights reserved.

 

While the phish login looks a lot like a legitimate Microsoft login, there are a few differences.

In the legitimate login, users see:

  • The use of the Oxford comma on the “Sign in” line.
  • Appropriate capitalization of the proper noun “Skype.”

In the phish login, they see:

  • The “Can’t access your account?” line is replaced by a generic “Sign in with a security key.”
  • The “Sign-in options” is replaced by “sign in options,” which lacks consistent capitalization and the hyphen on sign-in.

Given the buildup through all the Microsoft links to get to the actual phish, it is not a surprise that users will unwittingly enter their login credentials and hence, perpetuate the cycle.

Over the past several months, Accenture Security has identified several iterations of this campaign that followed essentially the same script. Email system administrators and security teams should take care to help their users become aware of and recognize the indicators of phishing campaigns such as these. The threat actors behind them show a consistent, persistent, and methodical operation that is bound to be successful as users and security tools are confounded by cloud services.

Need additional information? Contact a member of our CIFR team 24/7/365 by phone 888-RISK-411 or email CIFR.hotline@accenture.com.

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report

Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks

___

[1] https://zix.com/
[2] https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=2ahUKEwiU2OKmhrHpAhUnknIEHeQSD9AQFjAAegQICBAC&url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fatp-safe-links&usg=AOvVaw0ShNXXSiT4J3rAVIiCH3ri 

Heather Larrieu

Security Delivery Manager

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog