Blog

Don't try to phish our Chief Hacking Officer

Yesterday I received an e-mail from a CEO from a Belgium company. Not really strange for my job to receive NDAs, contracts, RFPs,.. but what made it suspicious was that I didn't know the company and the person.

The mail is a normal OneDrive file share:

This is a real mail generated by Office365 when you want to share the information with somebody outside the company.

The URL in the "Open" button is: https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanony...

You will notice that the URL is protected with Microsoft Advanced Threat Protection, but because it redirects to a harmless Onedrive this is allowed by Advanced Threat Protection, resulting in the following file being presented from the OneDrive:

This file is malicious, it redirects anyone that clicks on "Open" to the phishing site. Intercepting this file in Burp gives:

When I responded to the mail, in Dutch, I got a reply from the phisher in Dutch:

Conclusion:

  1. The criminals were able to attack the password of the CEO, either via a dataleak or via another phishing campaign;
  2. When they accessed the mailbox, they scraped all mail addresses from the entire mailbox. When I looked for the CEO his mail in my mailbox, I noticed that a company sent out an e-mail in 2017 to 600 recipients in the TO: field (instead of the BCC field), with my e-mail address and the CEO mail address;
  3. Without multi-factor authentication in Office365 these criminals have full access to all your data: mails, Sharepoint documents, personal OneDrive files,...
  4. The combination of the different flaws resulted in a successfull phishing campaign;
  5. This Phishing attack "Phishpoint" was detected by Avanan in August 2018: https://www.avanan.com/resources/phishpoint-attack
  6. According to Microsoft in the Threatpost blog https://threatpost.com/office-365-phishing-campaign-hides-malicious-urls-in-sharepoint-files/136525/ this attack should not be possible, the explanation above really shows that this is a real attack and problem.

Recommendations:

  1. Enable for all your users multi-factor authentication for all services on Office 365;
  2. Enable Advanced Threat Protection in Office 365 or use an external anti-spam/anti-phishing solution like Proofpoint Advanced Threat Protection & Detection for example;
  3. End-user awareness of all your users to be aware of phishing attacks, continuous training of users about security;
  4. Don't use the same password for all websites like Facebook, LinkedIn, Office365,...

12 hours after the attack, the website is blocked by Google Safe Browsing:

Add comment