A phishing attack is using VPN impersonation to trick
people into revealing their Microsoft Office 365 credentials.
With so many people working from home, VPN use has
increased considerably. Most companies rely on this sort of technology to let employees
connect to the corporate infrastructure safely, so it stands to reason that bad
actors would seek to use it as an attack vector.
Microsoft Office 365 credentials are highly valued on the
dark web because, in the right circumstances, they can give attackers a way
into a company’s network that doesn’t require too much effort. Defense systems
would have a hard time identifying a hacker who’s using legitimated
credentials.
“The attack impersonates a notification email from the IT
support at the recipients’ company,” reads the advisory
from the Abnormal Security.
“The sender email address is spoofed to impersonate the
domain of the targets’ respective organizations. The link provided in the email
allegedly directs to a new VPN configuration for home access. Though the link
appears to be related to the target’s company, the hyperlink actually directs
to an Office 365 credential phishing website,” the advisory continues.
While the attack seems to originate from numerous IPs and
different senders, the payload in each email was identical, which means they’re
all part of the same campaign.
According to the researchers, the landing page of the
phishing attack was displayed if the victim believed the message was hosted on
Microsoft .NET platform, and it’s identical to the Office 365 login website.
Since it’s hosted on a Microsoft platform, the certificate is also legit.
As usual, people should not open emails from unknown
senders, and they should be wary of any messages requesting changes of
passwords, confirmation of credentials, or anything else that might lead to a
leak of secure login credentials.