With so many businesses now relying on Microsoft’s Office 365 to facilitate remote work during the pandemic, a new cybersecurity report warns that hackers have hijacked the cyber assets of Samsung Canada and the University of Oxford to send phishing emails to Office 365 users.
According to a report from Check Point Research, Office 365 users were sent seemingly legitimate emails from a trusted source which included a link to an “Office 365 Voicemail.” Once users click the link, they are directed to a webpage requesting their Office 365 credentials; while the page looks like an official Microsoft page it actually steals credentials instead.
Check Point Research explained that the hackers managed to slip past Office 365’s security by abusing one of Oxford University’s SMTP servers, making the emails appear as if they were sent from the university, and thus confirmed as legitimate senders by Office 365. By hijacking the server, the hackers did not need to compromise actual university email accounts because they could generate as many fraudulent email addresses on the server as they wanted.
To redirect victims to the phishing page, the hackers also had to steal a legitimate domain to redirect traffic without alarming Microsoft’s security system. For this purpose, the attackers appropriated a Samsung Canada subdomain hosted on an Adobe Campaign (a platform used to manage marketing campaigns) server. Hackers took the existing link from an old, but legitimate Samsung Canada email campaign back in 2018, then repurposed it to force victims into a domain the cyberattackers owned.
While the marketing subdomain was commandeered by the hackers, “neither Adobe nor Samsung were compromised in the sense of exploiting a vulnerability,” Check Point Research said.
Forbes reported that the number and identity of the victims who fell for the phishing attempt is currently not known, but added that Microsoft once warned that most of Office 365’s enterprise users do not have two-factor authentication (2FA) enabled. This means accounts that lacked 2FA could easily be compromised as long as the hackers know just the username and password.