Hackers hijacked an Oxford email server to deliver malicious emails as part of a phishing campaign designed to harvest Microsoft Office 365 credentials from European, Asian, and Middle Eastern targets.
The attackers also made use of domain hosted on an Adobe server and used by Samsung during 2018’s Cyber Monday event.
By leveraging the reputable brands of Oxford University, Adobe, and Samsung within the same campaign, the threat actors’ attacks had everything needed to bypass their victims’ security email filters and trick the victims themselves into handing over their Office 365 credentials.
“Using legitimate Oxford SMTP servers allowed the attackers to pass the reputation check for the sender domain,” Check Point researchers who discovered the campaign explain.
“In addition, there was no need to compromise actual email accounts to send phishing emails because they could generate as many email addresses as they wanted.”
Phishing disguised as Office 365 voice mails
The campaign was spotted by Check Point researchers in early April 2020 after observing a series of suspicious emails pretending to be notifications of missed Office 365 voice mails.
To enforce the illusion of a legitimate email, the phishing messages also were adorned with a “Message from Trusted server” notification above the content.
These emails were claiming that an incoming voice message was waiting in the targets’ voice-portal, asking them to click on a button that would have taken them to page on their Office 365 account where they could listen or download the missed message.
After the potential victims clicked the Listen/Download button embedded in the phishing message, they were instead redirected to a phishing landing page disguised as an Office 365 login page.
Redirects used to filter victims
“Behind the scenes, this redirection consists of two stages: the first stage abused an existing redirection scheme on the legitimate domain (e.g. samsung[.]ca), and the second stage redirected the user to a compromised WordPress site,” Check Point explains.
The phishing kits used as part of the second stage of the attack were hosted on several compromised WordPress websites, with the redirect code checking if the visitors arriving on the hacked sites came via a phishing email, stopping the attack in its tracks if they weren’t and sending the visitors to the actual site instead of the phishing page.
Throughout this campaign, the malicious actors also continuously changed and improved redirection methods and URL parameters in the phishing links to evade detection by pattern-based engines by making them independent of a specific domain and the Adobe Campaign servers.
Additionally, “[m]ost of the emails came from multiple generated addresses belonging to legitimate subdomains from different departments in the University of Oxford (UK).”
The final page hosting the phishing kit and used to collect and exfiltrate Office 365 credentials to attacker-controlled servers was fully-obfuscated and it created separate virtual directories for each victim so that each of them had unique URLs assigned.
“Adobe took the relevant actions to prevent this type of attack through its server across all customers,” Check Point said.
Last month, another highly convincing Office 365 phishing campaign used cloned imagery from automated Microsoft Teams alerts trying to steal credentials from roughly 50,000 users.
Earlier in June, business owners with Microsoft Office 365 accounts were targeted by a phishing campaign using bait emails camouflaged as legitimate Small Business Grants Fund (SGF) relief payment messages from the UK government.
More details on the Office 365 phishing campaign using a hijacked Oxford email server and indicators of compromise (IOCs) including redirect sites’ URLs and a list of compromised WordPress sites hosting Office 365 phishing pages and intermediate redirects are available in Check Point’s report.