Experts with New York City-based cloud security platform Avanan reported on Wednesday that they have discovered a new cyberattack targeting business email users of Microsoft’s Office 365.
Avanan said in a blog post that the phishing attack was found using Punycode – generally speaking, a computer encoding system – to go undetected by both Microsoft’s default security and desktop email filters. The attack is meant to steal Office 365 credentials and abuses a vulnerability in how the program’s anti-phishing and URL-reputation security layers deal with Punycode.
Once credentials are obtained, hackers have full access to the victim’s Office 365 account, “providing an unlimited ability to embed malware, launch additional phishing attacks on the victim’s contacts, steal sensitive company information, reroute invoice remittance details, download customer information such as social security numbers and much, much more,” Avanan added in a press release.
The phishing attack starts with an email that appears to come from FedEx, informing the user that an important package is waiting for the victim. The email contains a link, which is displayed as http://www.fedex.com/us/track. The actual URL that’s embedded within this displayed link starts with http://fedex-international.com but continues with “.xn-sicherheit-schlsseldienst-twc.de/track,” the security researchers explained. The .xn uses the Unicode-encoding method Punycode, which effectively fools Office 365 into thinking this is a legitimate URL that doesn’t contain any malicious intent.
The resulting page displayed upon clicking this link is a fake Office 365 login page, asking for the user to provide his or her Office 365 password. Users still trying to access information about their package are likely to input their Office 365 password at this point, thinking that they had inadvertently logged out of Office 365, and therefore need to log back in to continue to track their package. “In reality, however, they are giving up the keys to their workplace environment to hackers,” the release said.
Matt Litchfield, vice president of information technology at JD Norman Industries, a manufacturer of metal components and systems with operations in Canada, the United States, Mexico and the United Kingdom, said in the release that the company is “experiencing phishing emails that target my users’ Office 365 credentials. These types of attacks represent a very serious security concern for my organization. I no longer believe that Office 365 email scanning offers sufficient protection from phishing attacks by itself; we must layer additional security on top of what Microsoft already provides to ensure a comprehensive email security solution.”
Gil Friedrich, a cloud security expert and Avanan’s CEO, added that “this is a very significant attack. With this attack, it’s clear that hackers now realize they can exploit victims’ workplace shopping habits to infiltrate corporate networks, which can be potentially much more valuable than petty credit card theft.”
“This exploit represents the latest attack on business users of Microsoft Office 365 and Google’s business Gmail programs, which have become platforms of choice for attacks since hackers can test the deliverability of their messages through their own low-cost test accounts,” the release said. “Companies that have migrated to these SaaS (software as a service)-based mail programs without adding necessary security layers have effectively exposed their users to the growing world of cloud security attacks.”
According to Avanan, Office 365 and Gmail have “inherently limited” abilities to block these attacks, since hackers can simply keep testing the deliverability of their messages until they successfully bypass built-in security layers. No one vendor can provide total protection, which is why Avanan recommends a “multi-vendor, defence-in-depth approach.”