Phishers Use Fake VPN Alerts to Steal Office 365 PasswordsReport: Fraudsters Target Remote Workers With Spoofed Updates
Fraudsters are using fake VPN update alerts to target remote workers in an effort to steal their Microsoft Office 365 credentials, according to the security firm Abnormal Security.
With work-from-home employees relying on VPNs and other remote connection tools to help them access corporate networks and data, fraudsters are now using specially crafted phishing emails that appear to come from the IT department requesting that they immediately update their remote access configurations, a new report from Abnormal Security states.
"Because most employees are working from home, a VPN has become a necessity for some work-related tasks," the report notes. "Employees will likely be attuned to any alleged updates to their VPN configuration in order to avoid any issues completing work that requires VPN access."
The goal of these phishing emails is to trick employees into giving up their Office 365 credentials by inputting usernames and passwords into malicious domains that spoof the login pages, according to Abnormal Security. So far, this campaign has targeted 5,000 to 15,000 employee email inboxes, the report says. .
The phishing campaign that Abnormal Security uncovered uses email addresses that spoof the domain of the organization where the remote worker is employed.
These phishing emails contain a link that claims to be a "new VPN configuration home access" alert. Instead of the VPN configuration page, however, the link directs the victim to a fake Office 365 site, where the user is urged to log in with their email and password, according to the report.
The fake landing page looks nearly identical to the standard Microsoft Office 365 login page, including using the company's logos and artwork. In addition, the malicious domain hosted on a legitimate Microsoft .NET platform, which gives the webpage a valid certificate that can help trick security tools, the report explains.
The campaign conceals the URL of the phishing page and uses anchor text instead that contains the name of the company where the intended victim is employed, according to Abnormal Security.
"By hiding the real URL, the user may be unaware that the site they are accessing is not the real Microsoft Office login page," the report notes.
The researchers say that although they found numerous variations of these phishing emails that originated from separate IP addresses, the payload link used was the same for all of the attacks. This indicates that the phishing emails were sent by a single attacker controlling the phishing domain, according to the report.
Other Phishing Campaigns
In May, Abnormal Security researchers found another phishing campaign that spoofed notifications from Microsoft's Teams collaboration platform in an attempt to harvest Office 365 credentials (see: Latest Phishing Campaign Spoofs Microsoft Teams Messages).
And in July 2019, researchers at security firm Zscaler uncovered a campaign where fraudsters used spoofed messages designed to look like Microsoft Azure custom domains that were signed with a Microsoft SSL certificate to give it legitimacy and trick security tools. The goal, again, was to harvest users' credentials.