www.armorblox.com
Open in
urlscan Pro
2a05:d014:275:cb00::c8
Public Scan
Submitted URL: https://em.armorblox.com/MTc2LVhNSi0wMzAAAAGK7NTd5CafuWNY7RU6d1r4s5oWJ1P_6wZlZjO21A9FNjH2iprpKv3YGxOk0LzwHxLbJsE3COg=
Effective URL: https://www.armorblox.com/blog/beware-of-dangerous-office-365-spear-phishing-tactics/?utm_medium=nurture&utm_source=email&...
Submission: On April 04 via api from US — Scanned from DE
Effective URL: https://www.armorblox.com/blog/beware-of-dangerous-office-365-spear-phishing-tactics/?utm_medium=nurture&utm_source=email&...
Submission: On April 04 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
<form id="mktoForm_1082" __bizdiag="196351835" __biza="W___" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" data-styles-ready="true">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoOffset"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>Email:
</label>
<div class="mktoGutter mktoHasWidth"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true"
data-personalize-email="true"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple"><button type="submit" class="mktoButton" data-personalize-button="true">Subscribe</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1082"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="176-XMJ-030">
</form><form __bizdiag="119453422" __biza="W___" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Heading to RSA? Reserve your 1:1 Meeting with Armorblox!
×
Get a Demo
* Product
Product Capabilities
* Product Overview
* Advanced Threat Prevention
* Advanced URL Protection
* Advanced Malware Detection
* Advanced Data Loss Prevention
* Security Operations
Product Tours
* All Product Tours
* Main Product Tour
* Phishing Product Tour
* Business Email Compromise Tour
* Brand Impersonation Tour
* Data Loss Prevention Product Tour
* Vendor Compromise Tour
* Security Operations Product Tour
Integrations
* Integrations and API Documentation
* Incident Response Integrations
* Platform Integrations
* Solution
By Use Case
* Business Email Compromise
* Email Account Compromise
* Graymail and Recon Threats
* Executive Phishing
* Data Loss Prevention
* Abuse Mailbox Remediation
By Platform
* Microsoft Office 365
* Google Workspace
* Secure Email Gateway Augmentation
By Industry
* Financial Services
* Education
* Healthcare
* Retail
* Customers
* Learn
Analyst Validation
* Armorblox Recognition
* Analyst Recognition
* Analyst Resources
Learning Center
* Explore All Topics
* Business Email Compromise
* Vendor Email Compromise
* Spear Phishing
* Ransomware
* Vishing
* Email DLP
* Tools and Templates
Resources
* All Resources
* Templates
* Whitepapers
* Solution Briefs
* Datasheets
* Videos
* Webinars
Blog
* All Articles
* News & Commentary
* Threat Research
* Product Features
* Customer Success Stories
Featured Content
* Understanding your Organization’s Vendor Fraud and Supply Chain Risk
* Protecting Your Organization Against Vendor Fraud and Supply Chain Attacks
* Prevent Vendor and Supply Chain Attacks with Armorblox
* Company
* About Us
* News
* Careers
* Contact Us
* Pricing
Get a Demo
Back
BEWARE OF THESE DANGEROUS OFFICE 365 SPEAR PHISHING TACTICS
Written by Lauryn Cash
News and Commentary / 12.22.21
Securing Office 365 email has been in the spotlight since Microsoft revealed
that O365 users had been the targets of a spear phishing campaign in effect
since July 2020.
Is Microsoft Office 365 email secure? Since its inception, Office 365 has been
an integral part of millions of businesses. However, its popularity has created
a significant attack surface for threat actors who have continually changed
their tactics to evade detection.
Since cloud adoption has surged and Office 365 subscribers have increased to
over 50.2 million, stopping phishing attacks on O365 has become increasingly
important. Today we’ll look at four types of attacks that target Office 365
users:
* Attacks that spoof workflows
* Attacks that exploit business workflows
* Attacks that impersonate well-known brands
* Attacks that use unique techniques
ATTACKS THAT SPOOF WORKFLOWS
Attacks that spoof workflows duplicate existing workflows, fooling targets into
believing they’ve received legitimate communications.
These attacks are successful because they encourage victims to employ “System 1
thinking” – the brain’s automatic, intuitive approach to dealing with new
situations. Unfortunately, when you “click before you think,” you open yourself
up to being fooled by phony workflows you swear you’ve seen many times before.
Here are three examples of attacks that spoof workflows.
WELLS FARGO LOCKED ACCOUNT NOTIFICATION
This email campaign impersonated a Wells Fargo locked account workflow to steal
victims’ banking credentials. Variants of this email attack targeted over 10,000
customer inboxes.
Microsoft skipped spam filtering because it determined that the email was from a
safe sender to a safe recipient or was from an email source server on the IP
Allow list.
* Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender
for Office 365 (MSDO), Proofpoint
* Techniques used: Social engineering, brand impersonation, replicating
existing workflows, using Hotmail accounts
FILE-SHARING NOTIFICATION FROM PROOFPOINT
This credential phishing attack impersonated Proofpoint to steal victims’ Google
and Microsoft logins, claiming to contain a secure file sent via Proofpoint as a
link.
Clicking the link took victims to a page that spoofed Proofpoint branding and
contained login links for various email providers. Additionally, the attack
included dedicated login page spoofs for Google and Microsoft.
* Email security bypassed: Microsoft email security
* Techniques used: Social engineering, brand impersonation, replicating
existing workflows, account takeover
ONLINE SHIPPING NOTIFICATIONS FROM FEDEX AND DHL
This double attack impersonated a FedEx online document share and pretended to
dispense shipping details from DHL Express. Both attacks aimed to extract
victims’ work email account credentials.
Phishing pages were hosted on free services like Quip and Google Firebase,
tricking security technologies and users into thinking the links were
legitimate.
* Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender
for Office 365
* Techniques used: Social engineering, link redirects, hosting phishing pages
on Quip and Google Firebase, brand impersonation
2. ATTACKS THAT EXPLOIT BUSINESS WORKFLOWS
These attacks are successful because they use legitimate domains to create
phishing emails and pages that target a business workflow. This tricks both
security software and end users into believing the communication is legitimate.
Here are three examples of attacks that exploit free software.
HOSTING PHISHING PAGES ON GOOGLE FIREBASE
This email attack, sent to at least 20,000 inboxes, pretended to share
information about an EFT payment with a link to download an HTML invoice.
Unfortunately, when the invoice was opened, the HTML loaded a page with
Microsoft Office branding hosted on Google Firebase. The final phishing
attempted to extract the victims’ Microsoft login credentials, alternate email
addresses, and phone numbers.
* Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender
for Office 365
* Techniques used: Social engineering, link redirects, HTML hosted on Google
Firebase, brand impersonation
HOSTING PHISHING PAGES ON BOX
In this credential phishing attempt, attackers hosted a phishing site on Box.
They sent an email claiming to come from a legitimate third-party vendor and
included a link to a secure document. Clicking the link led readers to a page
hosted on Box, followed by a credential phishing page that resembled the Office
365 login portal.
* Email security bypassed: Microsoft email security
* Techniques used: Social engineering, link redirects, brand impersonation
PHISHING PAGES HOSTED ON WEBFLOW AND GOOGLE SITES
This credential phishing attempt impersonated internal IT teams with an email
asking readers to review a secure message sent over Microsoft Teams. Clicking
the link led readers to a page designed to look like Microsoft Teams, followed
by a credential phishing page that resembled the Office 365 login portal.
* Email security bypassed: Microsoft email security
* Techniques used: Social engineering, link redirects, brand impersonation
3. ATTACKS THAT IMPERSONATE WELL-KNOWN BRANDS
Credential phishing is a type of cyberattack. Hackers attempt to steal user
credentials by posing as a known or trusted entity in an email, instant message,
or other written communication channel. A trusted entity can also be a
well-known brand, not just a co-worker or vendor.
Here are three examples of attacks that impersonated well-known brands.
NETFLIX CREDENTIAL PHISHING
In the Netflix credential phishing attempt, attackers sent an email resembling a
Netflix billing failure. Clicking the email link took targets to a functioning
CAPTCHA page with Netflix branding.
Correctly filling in the CAPTCHA information led to a Netflix lookalike site,
complete with a phishing flow that aimed to steal login credentials, billing
address information, and credit card details.
* Email security bypassed: Office 365 Exchange Online Protection
* Techniques used: Social engineering, link redirects, brand impersonation,
replicating existing workflows
AMAZON CREDENTIAL PHISHING
In an Amazon credential phishing attempt, attackers sent an email resembling an
Amazon delivery order failure. However, the email came from a legitimate
third-party vendor account and included a link to update Amazon billing
information.
Clicking on the link led victims to an Amazon lookalike site with a phishing
flow that aimed to steal login credentials, billing address information, and
credit card details.
* Email security bypassed: Microsoft email security
* Techniques used: Social engineering, link redirects, brand impersonation,
replicating existing workflows
BANK OF AMERICA CREDENTIAL PHISHING
In the Bank of America credential phishing attempt, an email that impersonated B
of A asked readers to update their email addresses to avoid getting recycled.
Clicking a malicious link led readers to a credential phishing page that
resembled the bank’s home page.
The attack flow also included a page that asked readers for their ‘security
challenge questions,’ both to get further identifying information from targets
and increase legitimacy.
* Email security bypassed: Microsoft email security
* Techniques used: Social engineering, link redirects, brand impersonation,
security challenge questions
4. ATTACKS THAT USE UNIQUE TECHNIQUES
There seems to be no end to the creativity used by hackers to get what they
want. Here are three unique techniques used by cybercriminals.
REAL-TIME VALIDATION AGAINST ACTIVE DIRECTORY
Cybercriminals validated stolen credentials in real-time when an executive at a
top American business typed them into a malicious phishing page. After the user
entered their Office 365 credentials into the page, the page called the Office
365 API to instantly verify the credentials against the organization’s Azure
Active Directory infrastructure.
* Email security bypassed: Microsoft email security
* Techniques used: Social engineering, link redirects
TECH SUPPORT VISHING ATTACKS
In two billing/tech support vishing attacks against Geek Squad and Norton
AntiVirus, hackers attempted to steal victims’ credit card details by sending
fake order receipts and phone numbers to call for processing order returns.
* Email security bypassed: Exchange Online Protection (EOP), Proofpoint
* Techniques used: Social engineering, brand impersonation, replicating
existing workflows, vishing (no URLs in email), using a Gmail address
SYMANTEC URL REWRITING
An email hid a zero-day phishing site behind multiple redirects, including one
created using Symantec’s Click-time URL Protection tool for URL rewriting.
The email was sent to an employee that focuses on real estate projects. It
included a link to a PDF that seemed to contain bid details for an upcoming
building project. However, clicking the link led victims through multiple
redirects, including one created using Symantec’s Click Time Protection.
The redirects culminated at a page that asked for login details. Again, all
pages resembled legitimate OneDrive and Adobe pages in an attempt to pass the
targets’ eye tests.
* Email security bypassed: A spoof of Symantec email security
* Techniques used: Social engineering, link redirects, brand impersonation
SECURING OFFICE 365 EMAIL WITH ARMORBLOX
As the examples cited in this article indicated, Microsoft native security
features weren’t enough to protect users against various types of spear phishing
attacks. Augmenting built-in controls with multilayered software like Armorblox
adds email security solutions that protect your business and your human layer
from fraud and sensitive data exposure.
--------------------------------------------------------------------------------
LEARN HOW ARMORBLOX PROTECTS YOUR ORGANIZATION FROM PHISHING ATTACKS.
Take Product Tour
ARMORBLOGS
Blogs from Armorblox. We couldn't resist the portmanteau.
*
Email:
Subscribe
Follow Us
--------------------------------------------------------------------------------
READ THIS NEXT
PEACE OF MIND FOR FINANCIAL ADVISORS: OUR WORK WITH FIDELITY INSTITUTIONAL
News and Commentary / 9.16.21
YOU'VE GOT A PHISH PACKAGE: FEDEX AND DHL EXPRESS PHISHING ATTACKS
Threat Research / 2.23.21
ADDRESSING EMAIL SECURITY'S FALSE POSITIVE PROBLEM
News and Commentary / 2.2.22
CUSTOMER STORY: CUTTING THROUGH THE NOISE
Customer Success Stories / 3.4.21
Armorblox secures enterprise communications over email and other cloud office
applications with the power of Natural Language Understanding. The Armorblox
platform connects over APIs and analyzes thousands of signals to understand the
context of communications and protect people and data from compromise. Over
58,000 organizations use Armorblox to stop BEC and targeted phishing attacks,
protect sensitive PII and PCI, and automate remediation of user-reported email
threats. Armorblox was featured in the 2019 Forbes AI 50 list and was named a
2020 Gartner Cool Vendor in Cloud Office Security. Founded in 2017, Armorblox is
headquartered in Sunnyvale, CA and backed by General Catalyst and Next47.
* Product
* Product Tour
* Integrations
* Solution
* Business Email Compromise
* Email Account Compromise
* Graymail and Recon Threats
* Executive Phishing
* Email Data Loss Prevention
* Abuse Mailbox Remediation
* Armorblox
* Customers
* Resources
* Blog
* CONTEXT
* Company
* About Us
* News
* Careers
* Trust Center
* Contact Support
--------------------------------------------------------------------------------
© 2023 Armorblox. All Rights Reserved. Privacy Policy.
--------------------------------------------------------------------------------
Cookies Settings
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. Privacy Policy
Cookies Settings Reject All Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
SOCIAL MEDIA COOKIES
Social Media Cookies
These cookies are set by a range of social media services that we have added to
the site to enable you to share our content with your friends and networks. They
are capable of tracking your browser across other sites and building up a
profile of your interests. This may impact the content and messages you see on
other websites you visit. If you do not allow these cookies you may not be able
to use or see these sharing tools.
Cookies Details
Back Button
PERFORMANCE COOKIES
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
Switch Label label
Switch Label label
Switch Label label
*
View Cookies
* Name
cookie name
Reject All Confirm My Choices