A phishing attack is using VPN impersonation to trick people into revealing their Microsoft Office 365 credentials.
With so many people working from home, VPN use has increased considerably. Most companies rely on this sort of technology to let employees connect to the corporate infrastructure safely, so it stands to reason that bad actors would seek to use it as an attack vector.
Microsoft Office 365 credentials are highly valued on the dark web because, in the right circumstances, they can give attackers a way into a company’s network that doesn’t require too much effort. Defense systems would have a hard time identifying a hacker who’s using legitimated credentials.
“The attack impersonates a notification email from the IT support at the recipients’ company,” reads the advisory from the Abnormal Security.
“The sender email address is spoofed to impersonate the domain of the targets’ respective organizations. The link provided in the email allegedly directs to a new VPN configuration for home access. Though the link appears to be related to the target’s company, the hyperlink actually directs to an Office 365 credential phishing website,” the advisory continues.
While the attack seems to originate from numerous IPs and different senders, the payload in each email was identical, which means they’re all part of the same campaign.
According to the researchers, the landing page of the phishing attack was displayed if the victim believed the message was hosted on Microsoft .NET platform, and it’s identical to the Office 365 login website. Since it’s hosted on a Microsoft platform, the certificate is also legit.
As usual, people should not open emails from unknown senders, and they should be wary of any messages requesting changes of passwords, confirmation of credentials, or anything else that might lead to a leak of secure login credentials.