The phishing email, targeting more than 21,000 users, managed to bypass Microsoft Exchange’s email security, Armorblox said.
Phishing Attacks work by impersonating a well-known or trusted brand, product, or company, often with the aim of deceiving recipients into disclosing sensitive account information. That’s exactly the case with a recent phishing campaign analyzed by security firm Armorblox, in which the attacker fakes Zoom in an attempt to compromise Microsoft’s user data.
How the attack worked
The phishing email, aimed at more than 21,000 users at a national healthcare company, contained a subject line of “For [name of recipient] on Today, 2022” with each user’s actual name listed as the recipient. With Zoom’s name and logo, the email itself claimed that the person had two messages waiting for their response. To read the alleged messages, the recipient had to click a master button in the body of the message.
The main button allegedly led users to a fake landing page that was spoofing Microsoft login site. On the site, victims were instructed to enter their Microsoft account password, ostensibly to verify their identity before accessing the messages. The landing page already populated the username field with the person’s actual email address to give them even more of a sense of security. Obviously, any Microsoft passwords entered on the page would then be captured by the attackers.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
The original phishing email, sent from a valid domain, evaded Microsoft Exchange’s security checks because it passed standard email authentication checks, including DomainKeys Identified Mail, Sender Policy Framework, and Domain-based Message Authentication Reporting and Conformance . Instead, the emails were blocked from reaching users’ inboxes by Armorblox security.
Why was the attack so convincing?
This particular campaign used several tricks to convince unsuspecting users of its legitimacy. The first tactic is: social engineering. By claiming that two messages were waiting for a response, the email tries to arouse curiosity and urgency in the recipient. The next trick is imitation. By counterfeiting a well-known brand like Zoom and exploiting Microsoft as the hub for accessing the pending messages, the campaign is playing on notoriety and trust.
By sending the email from a legitimate and trusted domain, the attackers did everything they could to circumvent the security measures. Furthermore, the email is written so as not to trigger red flags, neither with email security tools nor with an unsuspecting recipient.
How to protect your organization from phishing
To help protect your organization and employees from these types of phishing attacks, Armorblox offers the following recommendations:
Supplement your native email security with additional tools
The email described in the report slipped past Microsoft’s security measures, a sign that you need to augment your own email security with stronger and more layered tools. To find the right product, consult Gartner’s Market Guide to Email Security and Armorblox’s Email Security Threat Report for 2022.
Beware of social engineering tricks
With an influx of email flooding their inboxes, people often forget to examine messages more closely. Rather than responding or replying to a message immediately, users should take the time to check key elements, including the sender’s name, sender’s email address, and message language. The goal is to look for typos, errors, or inconsistencies that seem suspicious.
Apply proper password hygiene
Avoid using the same password on multiple sites, as a hacked account can help attackers breach other accounts with the same credentials. To avoid password reuse while still relying on strong and complex passwords, it is best to use a password manager.
Using multi-factor authentication
Requires MFA is one of the best ways to prevent an attacker from logging in with compromised account credentials.
