Search This Blog

Showing posts with label Microsoft 365. Show all posts

Microsoft Facing a Growing Threat by Cryptojackers

 

Cryptojackers, are still invading computers all over the world while also getting more discreet and skilled at evading detection. The data was released by Microsoft's 365 Defender Research Team, which on Thursday posted a new analysis of cryptojackers on its blog.

Microsoft Defender Antivirus detects cryptojackers on more than 200,000 devices per day using a variety of sensors and innovative detection techniques, including its connection with Intel TDT. In campaigns, hackers strongly favor the exploitation of notepad.exe over several valid system utilities.

What are Cryptojackers?

Cryptojackers are mining viruses that hijack and use a target's device resources for the former's gain without the user's knowledge or approval. They are one of the threat categories that have emerged and thrived since the advent of cryptocurrencies. The threat data indicates that over the past year, companies have encountered millions of cryptojackers.

Furthermore, as per Microsoft, Javascript is frequently used in the creation of cryptojackers, which in this instance use browsers to infiltrate systems. The tech titan also cautioned against fileless cryptojackers, who mine in a device's memory and maintain persistence by abusing legal programs and LOLBins.

Cryptojacking operation

Among several legitimate system utilities, notepad.exe abuse is heavily favored by attackers in campaigns that have been observed. An improved version of the cryptojacker known as Mehcrypt was employed in this campaign. 
  • This is a significant improvement over the previous version, which used a script to access its command-and-control (C2) server and download additional components that later carried out malicious deeds. 
  • The new version also condenses all of its routines into a single script and connects to a C2 server in the final stage of its attack chain.
  • An archive file containing autoit.exe and a heavily obscured, arbitrarily named.au3 script serves as the threat's delivery vehicle. 
  • Autoit.exe is started when the archive file is opened, and it decodes the.au3 script in memory. 
  • When the script is executed, it continues to decode more obfuscation layers and loads more decoded scripts into memory.
  • The script then places a copy of itself and autoit.exe in a folder with an arbitrary name under C:ProgramData.
  • To run the script each time the device begins, the script inserts autostart registry entries and generates a scheduled task to destroy the original files.
  • The software then incorporates persistence methods, loads malicious code into VBC.exe using process hollowing, and establishes a connection to a C2 server to wait for commands. 
  • The software loads its cryptojacking code into notepad.exe using process hollowing based on the C2 answer.

The warning was issued just a few weeks after Microsoft released a study describing how a widespread phishing effort managed to steal sign-in credentials, hijack sign-in sessions, and bypass the authentication step even when multi-factor authentication (MFA) was turned on.

Email Threat Report for 2022 via Abnormal Security

The premier AI-based cloud-native email security platform, Abnormal Security, today published its H2 2022 Email Threat Report. The study examines the state of the email threat landscape. It provides data on the most recent events in email attack methods, such as the emergence of brand impersonation in credential phishing and the expansion of business email compromise.

According to the report, email attacks have increased by 48% in the last six months, and 68.5% of them have links that steal credentials. In 15% of phishing emails, fraudsters impersonated well-known companies in addition to internal staff and executives, relying on the familiarity and goodwill of the brands to persuade employees to divulge their login information. Microsoft items and social networks were the two 265 brands that were most frequently impersonated in these attacks.

"Most cybercrime nowadays is successful because it preys on the individuals using the computer. By compromising individuals rather than networks, attackers may more easily get beyond standard security precautions" stated Crane Hassold, head of threat intelligence at Abnormal Security.

LinkedIn was perhaps the most frequently impersonated brand, although 20% of all attacks also included Outlook, OneDrive, and Microsoft 365. Since employee email accounts are frequently hacked through phishing emails, these attacks are hazardous. By gaining Microsoft login information, fraudsters can gain access to the entire range of linked goods, access sensitive information, and use the account to launch business email compromise attacks. 

Findings from the report entail:
  • The target of more than a third of brand-impersonation-based credential phishing attacks was a school or a place of worship.
  • BEC attacks rose by 150% year over year, proving the growing risk of these truly severe threats to financial stability. 
  • BEC attacks target every area, but advertising and marketing organizations continue to be the most vulnerable, with an 83% weekly chance of being the target.
  • Nearly every level of business is being targeted by financial supply chain hacks, with 89% of major enterprises experiencing at least one vendor assault each week.
"We generally understand that email attacks target businesses of all sizes and in all sectors, but these findings just serve to confirm our suspicions. Since the most sophisticated attacks are very difficult to distinguish from a genuine email from that brand, brand impersonation is particularly concerning for cybersecurity leaders," according to Mike Britton, a chief information security officer at Abnormal Security.

Abnormal Security has also introduced Abnormal Intelligence, a research and data hub devoted to offering insight into emerging new threats across the threat landscape, in support of its objective to shield enterprises from cybercrime. 

This portal, which showcases some of the most inventive assaults targeting Abnormal consumers, is made to assist firms in staying informed of new trends and attacks. The website offers threat intelligence content in the form of blog entries, downloadable materials, and webinars in addition to the daily feed of actual attacks. 

Phishing Scam Exploit's American Express, Snapchat Open-Redirect Threats

Phishing emails aimed at users of Google Workspace and Microsoft 365 have been sent as a result of open-redirect vulnerabilities affecting the American Express and Snapchat domains.

The term "open redirects" refers to a software vulnerability that makes it simpler for hackers to point users toward harmful resources they control.

Vulnerabilities :

Open redirect occurs when a website doesn't validate user input, allowing hackers to modify the URLs of domains with stellar reviews to route consumers to malicious sites. Because the initial domain name in the altered link is a well-known one, like American Express or Snapchat, victims will believe it.

The link may seem secure to an untrained eye because the first domain name in the modified link is actually the domain name of the original site. According to email security firm INKY, the trusted domain, such as American Express or Snapchat, serves as a temporary landing page before redirecting the user to a malicious website.

DocuSign, FedEx, and Microsoft were used as baits in phishing emails distributed to the Snapchat group, which led to sites that harvest user credentials. Researchers from Inky claim that 6,812 phishing emails sent from Google Workspace and Microsoft 365 hacked over the course of two and a half months used the Snapchat open redirect.

On August 4, 2021, professionals informed Snapchat of a vulnerability through the Open Bug Bounty site, but nothing has been done to fix it.

The matter was made worse by the discovery of the American Express open-redirect vulnerability in more than 2,000 phishing emails in only two days in July. The vulnerability has since been patched, as per the report, and any user who opens the link now is led to an error page on the company's legitimate website.

Prevention cautions

Roger Kay of INKY provided easy measures for preventing open redirect attacks:
  • Domain owners can undertake a few easy actions if they want to further reduce open redirect attacks. First, don't use redirection at all in your site architecture. Domain owners can, however, build an allowlist of permitted safe links to reduce open-redirect misuse if it's required for business reasons.
  • Additionally, domain owners have the option to display caution about external links before forwarding viewers to external websites.
  • Users should be on the lookout for URLs that include things like "url=," "redirect=," "external-link," or "proxy" as they explore websites online. These strings can suggest that a reputable domain might reroute traffic to another website.
  • Additionally, recipients of emails with links should look for repeated instances of "http" in the URL, another possible sign of redirection.

Microsoft Hit by Huge Service Outage


This week's 6-hour-long global outage of Microsoft 365 was caused by a flawed Enterprise Configuration Service (ECS) deployment, as per a preliminary post-incident review. This deployment caused cascade errors and availability effects across numerous locations.

ECS is an internal central configuration repository created to allow Microsoft services to make targeted updates, such as particular configurations per tenant or user, as well as broad-scope dynamic changes affecting many services and features.

According to Microsoft, a recent deployment that featured a "broken link to an internal storage service" was the most likely reason for an outage that prevented many customers from accessing or using a variety of Microsoft 365 products for several hours.

Access to several Microsoft services, including Microsoft Teams, Exchange Server, Microsoft 365 admin center, Microsoft Word, and other Office programs, was slowed down as a result of the service issues, which began on Wednesday, July 20 in the evening and persisted into Thursday morning. Microsoft Managed Desktop and other services were also not able to auto-patch due to the problem.

Overview of the outage

Through its public Twitter statements, Microsoft failed to mention the location of the disruptions. According to comments in Microsoft's Twitter statement, the Teams outage appears to have impacted users in Los Angeles, Dallas, New York City, Hong Kong, and Eastern Australia.

With its cloud computing, Microsoft does have a complex service level agreement. Accordingly, the sole form of compensation for any downtime that an organization can receive is a service-time credit. Additionally, since it is not automatically applied, they must ask for the service credit.

"Telemetry shows that this incident had an impact on about 300,000 calls. Due to business hours falling inside the effect timeframe, the Asia Pacific (APAC) region was the most impacted. Direct Routing and Skype MFA were also significantly affected," the company explained.


What sparked the outage?

In the end, the incident had an impact on users seeking to use one or more of the Microsoft 365 apps and services, according to Bleeping Computer.

The botched Enterprise Configuration Service (ECS) deployment was the initial root cause of this outage, as stated by Redmond in their incident report. "Backward compatibility with services that use ECS was impacted by a deployment of the ECS service that had a code flaw. The end result was that it would send inaccurate configurations to all of its partners for services using ECS " the firm stated.

As a result, downstream services received a status response with the code 200, suggesting that the pull was successful, but it just included a JSON object that was poorly formatted. How each Microsoft service used the flawed configuration supplied by ECS determined the impact's severity. Impact varied from services collapsing, like Teams, to low or no impact on other services.

Microsoft claims that as a result of this incident, they are working to strengthen the Microsoft Teams service's resilience so that it may fall back to a previous version of the ECS configuration in the case of a future ECS failure.


Phishing Emails Faking Voicemails aim to Steal Your Data

 

Vishing is the practice of sending phishing emails to victims that appear to be voicemail alerts to acquire their Microsoft 365 and Outlook login information. Researchers at Zscaler's ThreatLabz said this email campaign, which resembles phishing emails from a few years ago, was discovered in May and is still active. 

The researchers stated this month that the recent wave targets US organizations across various industries, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain. 

An email is where it all begins

Attackers inform recipients of missed voicemails via email notifications that contain links to web-based attachments. Although many people don't check voicemail, audio messages on LinkedIn and WhatsApp have been there for a while, so using them to deceive consumers into clicking a link in an email can be successful. 

Naturally, when the target clicks the link, they are taken to a credential phishing web page hosted on Japanese servers rather than a voicemail at all. The user gets directed to the Microsoft Office website or the Wikipedia page if the encoded email address at the end of the URL is missing.

The user is shown the final page, which is an Office 365 phishing page after they have correctly supplied the CAPTCHA information. The 2020 campaign Zscaler tracked using the same approach. 

"Since they can persuade the victims to open the email attachments, voicemail-themed phishing attacks continue to be an effective social engineering strategy for attackers. This, together with the use of evasion techniques to get around automatic URL inspection tools, aids the threat actor in acquiring the users' credentials more successfully "reports Zscaler ThreatLabz

Microsoft 365 Remains a Popular Victim 

In a 2022 Egress research titled "Fighting Phishing: The IT Leader's View," it was found that 40% of firms utilizing Microsoft 365 reported becoming victims of credential theft, and 85% of organizations using Microsoft 365 reported being victims of phishing in the previous 12 months. 

As the majority of businesses quickly transitioned to a primarily remote-work style, with many workers working from their homes, phishing usage continued to increase. It peaked during the peak of the COVID-19 pandemic in 2020 and 2021. 

A substantial majority of credentials have been successfully compromised by the effort, which can be utilized for a number of different cybercrime endgames. These consist of taking control of accounts to gain access to files and data theft to send malicious emails that appear to be from a legitimate organization, and implanting malware,. The goal is to trick victims into using the same passwords for several accounts by adding the user ID/password combinations to credential-stuffing lists. 

A rich mine of data that may be downloaded in bulk can usually be found in Microsoft 365 accounts, according to Robin Bell, CISO of Egress. Hackers may also use compromised Microsoft 365 accounts to send phishing emails to the victim's contacts in an effort to boost the success of their attacks.

To Mimic Microsoft, Phishing Employs Azure Static Web Pages

 

Microsoft Azure's Static Web Apps service is being exploited by phishing attacks to acquire Microsoft, Office 365, Outlook, and OneDrive passwords. Azure Static Web Apps is a Microsoft tool that allows to build and deploy full-stack web apps to Azure using code via GitHub or Azure DevOps.

MalwareHunterTeam, a security expert, uncovered the campaign. Attackers might imitate custom branding and website hosting services to install static landing phishing sites, according to the study. Users using Microsoft, Office 365, Outlook, and OneDrive services are being targeted by attackers who are actively mimicking Microsoft services. 

Several of the web pages and login pages in these phishing attempts are nearly identical to official Microsoft pages. Azure Static Web Apps is a program that uses a code repository to build and publish full-stack apps to Azure. 

Azure Static Apps has a process that is customized to a developer's everyday routine. Code changes are used to build and distribute apps. Azure works exclusively with GitHub or Azure DevOps to watch a branch of their choice when users establish an Azure Static Web Apps resource. A build is automatically done, and your app and API are published to Azure every time they post patches or allow codes into the watched branch. 

Targeting Microsoft users with the Azure Static Web App service is a great strategy. Because of the *.1.azurestaticapps.net wildcard TLS certificate, each landing page gets its own secure page padlock in the address bar. After seeing the certificate granted by Microsoft Azure TLS Issuing CA 05 to *.1.azurestaticapps.net, even the most skeptical targets will be fooled, certifying a fraud site as an official Microsoft login screen in the eyes of potential victims.

Due to the artificial veil of security supplied by the legitimate Microsoft TLS certs, such landing sites are also useful when targeting users of other platforms, such as Rackspace, AOL, Yahoo, or other email providers. 

When trying to figure out if one is being targeted by a phishing assault, the typical advice is to double-check the URL whenever we're asked to enter one's account credentials in a login. Unfortunately, phishing efforts that target Azure Static Web Apps render this advice nearly useless, since many users will be fooled by azurestaticapps.net subdomain and genuine TLS certificate.

In 2021, Ransomware Threats were Self-Installed

 

According to Expel, a managed detection and response (MDR) company, the majority of ransomware assaults in 2021 were self-installed. The revelation was made in the annual report on cybersecurity trends and predictions, 'Great eXpeltations'. 

Eight out of ten ransomware outbreaks were caused by victims unintentionally opening a zipped file containing malicious code. While, 3% of all ransomware cases were produced via abusing third-party access, and some 4% were caused by exploiting a software weakness on the perimeter. 

Ransomware is a sort of software that locks users out of the computer and demands payment in exchange for access. The data on the computer could be stolen, destroyed, or hidden, or the computer itself could be locked; some ransomware may try to infect other computers on the network.

BEC (business email compromise) efforts accounted for 50% of cases, with SaaS apps being the most common target. More than 90% of the attacks targeted Microsoft Office 365, with attacks against Google Workspace accounting for less than 1% of all events. Okta was the objective of the remaining 9%. 

Ransomware was responsible for 13% of all opportunistic attacks. Legal services, communications, financial services, real estate, and entertainment were the top five industries attacked. Furthermore, Expel discovered that 35 percent of web app hacks resulted in the deployment of a crypto miner.

Is the user at risk of being a victim of a ransomware assault due to security flaws?

  • The device in use is no longer cutting-edge. 
  • The device's software is out of date. 
  • No longer are browsers and/or operating systems patched. 
  • There is no suitable backup plan in place. 
  • Cybersecurity has received insufficient attention, and no solid plan has been put in place. 

How to Protect Oneself against Ransomware: 

  • Set up a firewall.
  • Have immutable backups. 
  • Staff Awareness Through Network Segmentation. 
  • Password Strengthening.
  •  Security Enhance Endpoint Security. 
  • Increase the Security of Your Email.
  • Use the Least Privilege Principle. 
  • Install ad blockers.

When it comes to combating ransomware, caution and the deployment of effective protection software, like with other forms of malware, are a good start. The development of backups is especially important when dealing with this form of malware, as it allows users to be well prepared even in the worst-case scenario.

Microsoft Defender Log4j Scanner Prompts False Positive Alarm


Microsoft Defender for Endpoint is presently displaying "sensor tampering" alarms for Log4j processes, which are related to the company's newly created Microsoft 365 Defender scanner.

Windows has been experiencing a variety of other alert difficulties with Defender for Endpoint since October 2020. This includes an alert that incorrectly identified Office documents as Emotet malware payloads, another that incorrectly identified network devices as Cobalt Strike infected, and still another that incorrectly identified Chrome upgrades as PHP backdoors. 

Microsoft 365 Defender not only unifies your perspective on security events across many advancements but also offers a slew of advanced connectivity and automation capabilities. 

This increases the effectiveness and viability of having a security investigator on staff. Microsoft has been working on the secret foundations for Microsoft 365 Defender for quite some time now, employing Microsoft 365 Defender will assist you with running inquiries that can recognize any or the entirety of the accompanying:

  •  Machines tainted with a particular payload.
  •  Altered letter drops.
  •  Malevolent action and the personalities in question. 
  • Weaknesses brought about by an uncovered CVE. 
Microsoft 365 Defender consolidates the telemetry and bits of knowledge drawn from the accompanying items: 
  • Microsoft Defender for Office 365 (recently known as Office 365 Advanced Threat Protection)
  • Microsoft Defender for Identity (recently known as Azure Advanced Threat Protection) 
  • Microsoft Defender for Endpoint (recently known as Microsoft Defender Advanced Threat Protection) 
  • Microsoft Cloud App Security (MCAS) 
  • Purplish blue Identity Protection (AIdP) 

Microsoft 365 Defender brings all of these advancements together in a single security task center. You can see how Microsoft 365 Defender associates and provides information from these advancements in the control center, and you may use crucial automated exercises to address them. 

Although the behavior of this Defender process is categorized as malicious, there is no need to be concerned because these are false positives, as per Tomer Teller, Principal Group PM Manager at Microsoft, Enterprise Security Posture,

Microsoft is presently researching the Microsoft 365 Defender issue and working on a patch that should be available to affected PCs soon. "This is a result of our efforts to detect Log4J instances on disc." "The team is looking into why this is causing the warning," Teller further added. 

This Decade-old Malware has Picked Some Nasty New Tactics

 

Qakbot, a popular trojan for stealing bank credentials, has recently started delivering ransomware, making it more difficult for network defenders to identify what is and isn't a Qakbot attack. 

Qakbot is a particularly versatile piece of malware that has been active for over a decade and has survived despite Microsoft and other security firms' multi-year attempts to eliminate it. In 2017, Qakbot adopted WannaCry's lateral movement techniques, such as infecting all network shares and drives, brute-forcing Active Directory accounts, and creating copies of itself using the SMB file-sharing protocol. 

According to Kaspersky's new investigation of Qakbot, it is unlikely to go away very soon. As per its detection statistics for Qakbot, it infected 65 per cent more PCs between January and July 2021 than it did the previous year. As a result, it is becoming increasingly dangerous. 

Qakbot is modular, as per Microsoft, allowing it to masquerade as unique attacks on each device on a network, making it tough to identify, prevent, and remove by defenders and security tools. 

The Microsoft 365 Defender Threat Intelligence Team stated in its report, "Due to Qakbot's high likelihood of transitioning to human-operated attack behaviours including data exfiltration, lateral movement, and ransomware by multiple actors, the detections seen after infection can vary widely." 

Given the difficulty in identifying a common Qakbot campaign, the Microsoft team has profiled the malware's approaches and behaviours to aid security analysts in detecting it. Emailed attachments, links, or embedded images are the most common distribution methods. It is also known to attack machines using Visual Basic for Applications (VBA) macros and legacy Excel 4.0 macros. In July, TrendMicro examined a significant Qakbot campaign that employed this tactic. 

Qakbot hides harmful processes using process injection, creates scheduled activities that stay on the machine, and manipulates the Windows registry. Once installed on an infected system, it uses a variety of lateral movement techniques, as well as the Cobalt Strike penetration-testing framework and ransomware. 

Last year, the FBI warned that Qakbot trojans were spreading ProLock, a type of "human-operated ransomware." It was a concerning discovery since machines infected with Qakbot on a network must be separated because they act as a ransomware attack's bridge. Microsoft noted that Qakbot has used MSRA.exe and Mobsync.exe for process injection to conduct various network 'discovery' commands and steal Windows credentials and browser data. 

Other criminal groups can use Qakbot's Cobalt Strike module to deploy their own payloads, such as ransomware. As per Trend Micro, Qakbot has delivered MegaCortex and PwndLocker (2019), Egregor, and ProLock (2020), and Sodinokibi/REvil (2021).

"Qakbot has a Cobalt Strike module, and actors who purchase access to machines with prior Qakbot infections may also drop their own Cobalt Strike beacons and additional payloads," Microsoft noted. 

"Using Cobalt Strike lets attackers have full hands-on-keyboard access to the affected devices, enabling them to perform additional discovery, find high-value targets on the network, move laterally, and drop additional payloads, especially human-operated ransomware variants such as Conti and Egregor." 

Activating Office 365 phishing protection, enabling SmartScreen and network in the Edge browser, and ensuring runtime macro scanning by turning on Windows Antimalware Scan Interface (AMSI) is among Microsoft's recommended mitigations to reduce Qakbot's impact. Microsoft Defender antivirus and other third-party antivirus vendors support AMSI. AMSI support for Excel 4.0 macros was added in March, so it's still a new feature.

Proofpoint Phish Harvests Credentials from Microsoft Office 365 and Google Email

 

Phishers are posing as Proofpoint, a cybersecurity company, in order to steal victims' Microsoft Office 365 and Google email credentials. According to Armorblox analysts, one such effort was launched against an undisclosed global communications business, with roughly a thousand personnel targeted solely within that company. 

“The email claimed to contain a secure file sent via Proofpoint as a link,” they explained in a posting on Thursday. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.” 

A file apparently related to mortgage payments was the email's bait. The subject line, "Re: Payoff Request," was designed to trick targets into thinking it was part of an ongoing conversation, offering validity to the proceedings while also adding urgency. Users were led to a splash page with Proofpoint branding and login spoofs if they clicked on the "secure" email link embedded in the message. 

“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively,” researchers explained. “Both flows asked for the victim’s email address and password.”

Researchers discovered another phishing campaign that appears to be abusing an Amazon service called Amazon Simple Email Service (SES), which allows developers to send email messages from their apps. According to Kaspersky, the campaign was based on a now-revoked stolen SES token used by a third-party contractor during the testing of the website 2050.earth. The 2050.earth website is a Kaspersky initiative that includes an interactive map depicting the future impact of technology on the Earth, as predicted by futurologists. Because the 2050.earth site is housed on Amazon's infrastructure, the stolen SES token is linked to Kaspersky and SES. 

Noreply@sm.kaspersky.com is one of the sender addresses used in these emails. The security alert cautioned that they come from a variety of sources, including Amazon Web Services infrastructure. The stolen SES token was only utilized in a restricted way, according to the company, as part of a larger campaign that targeted many brands. 

Social engineering, brand impersonation, and the utilization of genuine infrastructure are used in attacks like these to get through typical email security filters and consumers' eye checks. Armorblox made the following suggestions to protect against similar campaigns: 

 • Be wary of social engineering: Before opening an email, users should perform a visual inspection that involves looking at the sender's name, email address, language, and any logical flaws. 

 • Improve password hygiene: Implement multi-factor authentication (MFA) on all potential corporate and personal accounts, avoid the usage of the same password across several sites/accounts, and avoid passwords that are linked to publicly available data.

Threat Actors Use QR Codes to Steal Login Credentials

 

Hackers are distributing phishing mails having QR codes in a cyberattack campaign built to extract login details of Microsoft 365 cloud apps. Passwords and usernames for cloud services of entreprises have become a main target for hackers, exploiting these to launch ransomware and malware attacks, or by selling stolen login details to other threat actors, who exploit it for their own campaigns. 

Threat Actors are finding sneaky opportunities to scam victims into opening malicious links that lead to phishing websites built to look like genuine Microsoft login webpages, and smartly selling the login credentials. 

Cybersecurity experts at Abnormal Security analyzed a recent campaign, the researchers sent various phishing mails which tried to use QR codes built to evade mail protections and steal login details. QR codes are useful when it comes to attempts malicious tasks, as standard mail security regulations like URL scanners don't detect any hint of suspected links or attachments in the email. 

The campaign is operated via email accounts hacked earlier, which allows hackers to send mails from authentic user accounts of companies to give a look of authenticity to these mails, and users believe it to be legitimate. As of now, experts are yet to confirm how threat actors are able to get control of these accounts used for sending phishing mails. 

As per experts, these phishing mails contain a voicemail message from the email account admin sending the mail, the target is requested to scan a QR code for listening to the voice mail. The QR codes sent to the victims were also created the same day. An earlier variant of the campaign tried to scam users into opening a malicious link by hiding it in an audio file. 

But, antivirus softwares were able to find and identify the malicious files, which made threat actors turning to QR codes. "While using the QR codes method can more easily bypass email protections, the victim needs to follow many more steps before they reach the point where they could mistakenly give their login credentials to cyber criminals. Applying multi-factor authentication to Microsoft 365 accounts can also help protect login details from being stolen," ZDNet reports.

NSA and FBI Blame Russia for Massive ‘Brute Force’ Attacks on Microsoft 365

 

American intelligence and law enforcement agencies have accused a Kremlin-backed hacking group for a two-year campaign to breach into Microsoft Office 365 accounts. 

In a joint report with British intelligence, the NSA, FBI, and DHS blamed Fancy Bear for the broad "brute force" attacks. Fancy Bear is most known for hacking the Democratic National Committee in the run-up to the 2016 Presidential Elections. 

Fancy Bear, according to the agencies, was actually the 85th Main Special Service Center (GTsSS), a group within the Russian General Staff Main Intelligence Directorate (GRU), and that it had been carrying out its brute force attacks on a variety of sectors, which include government and military departments, defense contractors, political parties, energy companies, and media outlets. The majority of the targets were based in the United States and Europe. 

The joint statement stated, “These efforts are almost certainly still ongoing. This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion.” 

“This lengthy brute force campaign to collect and exfiltrate data, access credentials, and more is likely ongoing, on a global scale,” said Rob Joyce, the NSA's director of cybersecurity. 

At the time of writing, neither Microsoft nor the Russian embassy in London had replied to requests for comment. Fancy Bear used a technique known as "password spraying," in which computers attempt as many login attempts as feasible on a particular system as possible. The devices' traffic is routed through virtual private networks or the Tor network, both conceal a system's actual IP address by routing it through a variety of servers. 

According to the US report, they did it by utilizing Kubernetes, an open-source platform built by Silicon Valley tech giant Google for managing computer processes. Users of Microsoft 365 and other targeted cloud products should utilize multi-factor authentication, which requires a one-time code in addition to the login and password to get access to an account. It also suggests that if a user makes many unsuccessful tries to log into an account, the user should be locked out or put on a waiting list before trying again. 

The allegations follow President Biden's meeting with Russian President Vladimir Putin, during which the US leader urged his Russian counterpart to assist America in stopping the flow of destructive cyberattacks plaguing organizations throughout the world. 

In recent months, ransomware attacks on gas company Colonial Pipeline and meat supplier JBS, as well as thefts of US federal agency emails via a breach of IT supplier SolarWinds, have prompted concern. 

The current attacks look to be one of Fancy Bear's "classic military intel mission that is their major emphasis," according to John Hultquist, vice president of intelligence analysis at cybersecurity firm FireEye. 

Hultquist added that their bread and butter is good old-fashioned spy vs. spy activity that has been carried over into the cyber arena. He expressed concern that the organization may target the next Olympic Games in Japan, citing Russia's prior involvement in assaults on the 2018 Winter Olympics in South Korea.

Microsoft Cloud Users Hit by Global Outage

 

Microsoft has recognized a new change to an authentication system as a potential reason for a blackout that scourged clients of its cloud-based portfolio of productivity and back-office apps across the world. Client reports of technical problems with the software giant’s Microsoft 365 online productivity suite initially began arising around 7 pm on Monday 15 March 2021, as indicated by Downdetector's outage tracking data.

Microsoft updated its service health status page soon after and affirmed that clients might be encountering issues when attempting to get to the organization's key online collaboration, communication, and productivity tools. The organization proceeded to affirm that any service that depends on its cloud-based identity and access management service Azure Active Directory (AAD) might be affected. These incorporate the component services that make up Microsoft 365, like Outlook, Word, Excel, and PowerPoint, however, admittance to the association's wider portfolio of cloud services was also affected by the issues. 

As affirmed on the Microsoft status page, clients of its public cloud platform Azure, its business intelligence software Dynamics 365, and the Microsoft Managed Desktop service are additionally known to have encountered access issues. The organization additionally distributed a progression of updates for clients during the incident by means of its social media channels. 

These incorporated an affirmation that a new update to an authentication system had been recognized as causing issues that could be affecting clients around the world. As confirmation of this, the organization affirmed around 9.17 pm on 15 March that it was carrying out a “mitigation worldwide” to address the issue, with a full "remediation" expected within 60 minutes of its deployment. 

“Service health has improved across multiple Microsoft 365 services,” said a post on the Microsoft 365 Twitter account. “However, we are taking steps to resolve some isolated residual impact for services that are still experiencing impact.” The organization on 16th March published a further update on Twitter saying that the incident seemed to have been largely resolved. “Our monitoring indicates that the majority of the services have fully recovered,” it said. “However, we’re addressing a subset of services that are still experiencing some residual impact and delays in recovery.”

Microsoft Office Phishing Attack Hosted on Google Firebase

 

A phishing campaign set on stealing Microsoft login credentials is utilizing Google Firebase to bypass email security efforts in Microsoft Office 365, researchers said. 

Researchers at Armorblox revealed invoice-themed emails sent off to at least 20,000 mailboxes that indicate to share data about an electronic funds transfer (EFT) payment. The emails convey a genuinely vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contain a link to download an “invoice” from the cloud.

Clicking on that link starts a progression of redirects that at last takes targets to a page with Microsoft Office branding that is facilitated on Google Firebase. That page is obviously a phishing page, designed to collect Microsoft log in data, secondary email addresses, and phone numbers. “Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances and family members,” as indicated by Armorblox. 

Impersonating Microsoft to phish for account credentials continues being an incredible method since it's a way for attackers to embed themselves into typical business work processes, said Rajat Upadhyaya, head of engineering at Armorblox. “Viewing documents via Office 365 is something we do every day, so victims might think it’s not unusual to enter login credentials in this situation,” Upadhyaya added. “Plus, hosting the final phishing page on Google Firebase lends the domain inherent legitimacy and allows it to bypass email security blocklists and filters.” 

The email assault bypassed native Microsoft email security controls. Microsoft appointed a Spam Confidence Level (SCL) of '1' to this email, which implies that the tech giant didn't decide the email as dubious and conveyed it to end-user mailboxes. Strangely, by facilitating the phishing page HTML on Google Firebase, an inherently trusted domain, the emails had the option to nip past underlying Microsoft security filters, including Exchange Online Protection (EOP) and Microsoft Defender for Office 365.

For better protection against email-borne threats, employees ought to be prepared to engage with emails identified with cash and information with an "eye test" that incorporates investigating the sender name, sender email address, language inside the email, and any legitimate irregularities inside the email, as per Armorblox.

Phishing Campaigns Evolving Rapidly; Using Innovative Tactics to Avoid Detection

 

In the past few months, Microsoft Office 365 phishing campaigns have evolved drastically, using innovative tricks like inverted login pages, sub-domains, and pre-detecting sandboxes to evade detection. Some of these notorious but ingenious tricks observed by security researchers are: 

 Detecting Sandboxes 

Microsoft recently discovered a phishing campaign that could avoid automated analysis by detecting security sandboxes (automated analysis). The campaign uses URLs that could spot sandboxes and switch the redirected URL to a legitimate page or website instead of the phishing landing page.

"We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering," said Microsoft. 

"The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc."

This method makes sure that only real people or to say potential victims reach the landing page and not security researchers and automated security scans. Thereby reducing their chance of being blocked. 

These emails are also very well crafted and obscure - another way to dupe email gateways. 

 Inserting Custom Sub-domains 

Another way these attackers have found to make phishing URLs more legitimate is by inserting custom subdomains for each user with their name and their organization's name. 

"This unique subdomain is added to a set of base domains, typically compromised sites," Microsoft explained. 

"Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient." 

"The unique subdomains also mean huge volumes of phishing URLs in this campaign, an attempt at evading detection."

 Inverting Images of Webpages

  This particular campaign uses inverted images (as the landing page) of the webpage they are trying to imitate. The security defenses receive this page thereby escaping detection. 

 The phishing kit reverses the inverted page to look like the original (using Cascading Style Sheets (CSS) ) for the user. 

 Google Ads

 A pretty neat trick used by phishing campaigns is by misusing Google Ads and Google Cloud Services, Microsoft Azure, Microsoft Dynamics, and IBM Cloud to host phishing pages that look legitimate and surpass secure email gateways.

FileWall, a Content Disarm and Reconstruction Solution for Microsoft 365 by Odix

In recent months, there has been an exponential surge in malware attacks. According to the checkpoint, the last quarter itself has seen an increase of 50% in malware attacks. “In the last 3 months, there has been a 50% increase in the daily average of attacks, compared to the first half of 2020. US ransomware and malware attacks doubled (~98% increase) in the last 3 months, making it the #1 most targeted country for ransomware, followed by India, Sri Lanka, Russia, and Turke”, reports checkpoint. 

CSO Online recently published a report and the results are staggering, as per the sample 92% of malware is delivered by email. Another report by Symantec quotes that 48% of malicious email attachments are office files. With these numbers, it is not a question of will you suffer a malware attack rather when you will suffer a malware attack? 

So, ehackingnews did some research into cybersecurity products for email and phishing malware as well as file protection, and one company stood out with their promising technology and competent product- Odix and their patented Content Disarm and Reconstruction (CDR) tech.




Odix- CDR, and FileWall 

Odix, headquartered in Israel with clients from the US, Europe recently tapped into the Indian market. They specialize in anti-malware tools using their patented Content Disarm and Reconstruction (TrueCDR™) technology. What CDR does is it takes your file, removes any malicious harmful content, and provide you with a malware-free clean file instead of detecting attack vectors and malwares because trying to detect and learn every new malware vendor is impossible.

“Everybody is seeing a flood of malware and we see millions of new unique samples every day and the common method to deal with that is detection. You get something and you check it and determine whether it's malicious or not but the amount of new malware that we are seeing in the world every day makes it impossible for detection based solutions to keep up, we see them lagging behind and not being able to detect everything that comes out and the concept behind CDR is a bit different than it’s a detectionless method where the aim is to prevent the attack first and once we keep the attack out after that we go into layers of trying to analyze and disarm any active content that might serve as a vector to deliver malware and malicious playloads and by doing that you can provide a safe copy to the user without burning yourself to detect any new thing that comes out” said Mr.Omri, CTO at Odix in conversation with ehackingnews. 

“Normally CDR was something only large corporation was thinking about it because it requires a lot of effort, deployment, integration. With FileWall, you got the affordable service – a dollar per user per month, unseen in case of CDR and a game-changer,” says Ms.Revital, CMO Odix.  

Now, what differentiates FileWall and Odix’s CDR from other CDR providers is their efficiency and focus on particular file types that come in and go via mails in FileWall and hence their analysis of these particular files is very advanced and efficient. Odix is constantly working to add more filetypes in their operations and although it’s strictly file-based protection, they are working towards providing a third-party Url solution and Url re-writing for false links in the file. As CTO Mr.Omri says, “We used to look at CDR as a solution and preventive measure while now we’re starting to look at CDR as a vehicle that knows how to dive into files and so to partner with different players with security space” to give a more secure and encompassing solution. 

One thing to CDR is, although it’s exceedingly competent with database files, when it comes to executable files, “modifying them breaks them” and it’s better to have CDR plugins and FileWall as an additional layer of security for your files; also such files would already be scanned in Microsoft’s ATP (Advance Threat Protection). 

 Standing at 1 dollar per user per month, Odix’s FileWall with CDR technology is a promising file security solution for Microsoft 365 users.

Microsoft 365 Services Restored After Hours Long Outage


Recently Microsoft was hit with a massive global outage that interrupted users’ access to multiple services including Outlook.com, Office 365, Teams, Exchange, Azure, OneDrive Dynamics 365, SharePoint, amid other cloud-based services.

As per the Azure status history page, the users who were trying to access any of Microsoft’s services encountered issues with logging in and server connection as the downtime started around 21:25 UTC on Monday.


The service interruptions had a rather short lifetime, lasting for several hours before Microsoft technicians fixed the issue and successfully rolled back their systems on Tuesday.

In current times of global pandemic wherein physical access for people is restricted all over the world, the outage of online services has proven to be even more disruptive as the number of people relying on it for work and studies has sprung up by a remarkable margin. As classrooms moved online, students and educational institutions are heavily dependent on services offered by Microsoft and Google, primarily.

Giving insights on the matter, Microsoft said “Users who were not already authenticated to the cloud services using Azure AD would have seen multiple authentication request failures. The impact was primarily in the Americas based on the issue being exacerbated by load, but users in other regions may also have experienced some impact. Users that had previously authenticated prior to the issue may not have experienced any noticeable effect.”

Acknowledging the issue, Microsoft 365 Status said in a tweet, “we’ve received reports of users experiencing issues accessing their Exchange Online accounts via Outlook on the Web. Our initial investigation indicates that India-based users are primarily impacted audience. Further details can be found in your admin center under EX223208.”

“We took corrective actions to mitigate the impact to Exchange ActiveSync and have confirmed that service has been restored after users force a sync on their impacted devices. More information can be found under EX223053 in the admin portal.” Microsoft 365 Status said in another tweet.

The issues affecting Microsoft’s online authentication systems have been resolved by the company and the services are restored. Most users reported their system being fully recovered and services functioning normally again.

A Provider of Cyber Security Training Loses 28,000 Items of Personally Identifiable Information (PII) In a Data Breach


A provider of cybersecurity training and certification services, 'The Sans Institute', lost roughly 28,000 items of personally identifiable information (PII) in a data breach that happened after a solitary staff part succumbed to a phishing attack. 

The organization discovered the leak on 6 August 2020, when it was leading a systematic review of its email configuration and rules. 

During this process, its IT group identified a dubious forwarding rule and a malignant Microsoft Office 365 add-in that together had the option to forward 513 emails from a particular individual's account to an unknown external email address before being detected. 

While the majority of these messages were innocuous, however, a number included files that contained information including email addresses, first and last names, work titles, company names and details, addresses, and countries of residence. 

Sans is currently directing a digital forensics investigation headed up by its own cybersecurity instructors and is working both to ensure that no other data was undermined and to recognize areas in which it can harden its systems. 

When the investigation is complete, the organization intends to impart all its findings and learnings to the extensive cybersecurity community. 

Lastly, Point3 Security strategy vice-president, Chloé Messdaghi, says that "Phishers definitely understand the human element, and they work to understand peoples’ pain points and passions to make their emails more compelling. They also know when to send a phishing email to drive immediate responses." 

And hence she concluded by adding that "The final takeaway is that we all need to stay aware and humble – if a phishing attack can snag someone at the Sans Institute, it can happen to any of us who let our guard down."

Microsoft Office 365 Users Targeted By a New Phishing Campaign Using Fake Zoom Notifications



As people across the world struggle to survive the onslaught of the corona pandemic by switching to the work-from-home criteria, the usage and demand of cloud-based communication platform providing users with audio and videoconferencing services have seen a sudden upsurge.

Zoom is one such platform that has from the beginning of 2020 has seen an extremely high increase of new monthly active users after a huge number of employees have adopted remote working.

However recently Microsoft Office 365 users are being targeted by a brand new phishing campaign that utilizes fake Zoom notifications to caution the users who work in corporate environments that their Zoom accounts have been suspended, with the ultimate goal of stealing Office 365 logins.

Reports are as such that those targeted by this campaign are all the more ready to believe in such emails during this time since the number of remote workers participating in daily online meetings through video conferencing platforms, as Zoom has definitely increased because of stay-at-home orders or lockdowns brought about by the pandemic.

 As of now the phishing campaign mimicking automated Zoom account suspension alerts has received by more than 50,000 mailboxes based on details given by researchers as email security company Abnormal Security who recognized these continuous attacks.

The phishing messages spoof an official Zoom email address and are intended to imitate a real automated Zoom notification.

Utilizing a spoofed email address and an email body practically free from any grammar blunders or typos (other than a self-evident 'zoom' rather than 'Zoom account') makes these phishing messages all the more persuading and conceivably more viable.

The utilization of a lively "Happy Zooming!" toward the end of the email could raise a few cautions however, as it doesn't exactly fit with the rest of the message's tone.




As soon as the users click the "Activate Account" button, they are redirected to a fake Microsoft login page through 'an intermediary hijacked site'.

On the phishing landing page, they are asked to include their Outlook credentials in a form intended to exfiltrate their account subtleties to attacked controlled servers.

On the off chance that they succumb to the attackers' tricks, the victims' Microsoft credentials will be utilized to assume full control for their accounts and all their data will be ready for the picking, later to be utilized as a part of identity theft and fraud schemes like the Business Email Compromise (BEC) attacks.

Despite the fact that the US Federal Bureau of Investigation (FBI) had warned of BEC abusing popular cloud email services, like Microsoft Office 365 and Google G Suite through Private Industry Notifications issued in March and in April.

Even after this, Office 365 users are continuously targeted by phishing campaigns with the ultimate objective of reaping their credentials.

Regardless Microsoft has warned of phishers' ongoing movement to new types of phishing strategies, like consent phishing, other than conventional email phishing and credential theft attacks.

Microsoft Partner Group PM Manager Agnieszka Girling says, "While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services,"

The company additionally has made a legal move to destroy some portion of the attack infrastructure used to host malignant 365 OAuth apps utilized in consent phishing to seize victims' Office 365 accounts.

Phishing Attacks Can Now Dodge Microsoft 365's Multi-Factor Authentication


Of late a phishing attack was found to be stealing confidential user data that was stored on the cloud.
As per sources, this is the work of a new phishing campaign that dodges the Office 365 Multi-Factor Authentication (MFA) to acquire the target’s cloud-stored data and uses it as bait to extract a ransom in Bitcoin.

Per reports, researchers discovered that the campaign influences the “OAuth2 framework and OpenID Connect (OIDC) protocol”. It employs a malicious “SharePoint” link to fool the targets into giving permission to “rogue” applications.

MFAs are used as a plan B in cases where the users’ passwords have been discovered. This phishing attack is different because it tries to fool its targets into helping the mal-actors dodge the MFA by giving permissions.

This campaign is not just about gaining ransoms via exploiting the stolen data it is that and the additional threat of having sensitive and personal information at large for others to exploit as well. Extortion and blackmail are among the first things that the data could be misused for.

Sources mentioned that via obtaining basic emails and information from the target’s device, the attacker could easily design “hyper-realistic Reply-Chain phishing emails.”

The phishing campaign employs a commonplace invite for a SharePoint file, which happens to be providing information regarding a “salary bonus”, which is good enough for perfunctory readers to get trapped, mention reports.

The link when clicked on redirects the target to an authentic login page of Microsoft Office 365. But if looked on closely, the URL looks fishy and created without much attention to detail, thus say the security experts.

Reportedly, access to Office 365 is acquired by getting a token from the Microsoft Identity Platform and then through Microsoft Graph authorizations. OIDC is used to check on the user granting the access if authentication comes through then the OAuth2 grants access for the application. During the process, the credentials aren’t revealed to the application.

The URL contains “key parameters” that explain how targets could be tricked into granting permissions to rogue applications on their account. Key parameters signify the kind of access that is being demanded by the Microsoft Identity Platform. In the above-mentioned attack, the request included the ID token and authentication code, mentioned sources.

If the target signs in on the SharePoint link that was delivered via the email they’ll be providing the above-mentioned permissions. If the target doesn’t do so, it will be the job of the domain administrators to handle any dubious activities.

This phishing campaign is just an example of how these attack mechanisms have evolved over the years, to such an extent that they could now try to extort sensitive data out of people seemingly by tricking them into providing permissions without an inkling of an idea of what is actually up.