Check Point experts discovered a sophisticated phishing campaign aimed at collecting corporate data and compromising Microsoft Office 365 accounts. To avoid detection, hackers used the servers of well - known organizations such as Oxford University, Adobe and Samsung. 43% of these attacks were targeted at European companies, while the rest were seen in Asia and the Middle East.
According to experts, as part of one of the phishing campaigns, hackers sent their victims emails that contained links to the Adobe server.
"Previously, the server was used by Samsung. This allowed hackers to create the appearance of a legitimate Samsung domain, this increased the confidence of victims. Thus, the victims were redirected to the login credentials page for entering Office 365," said experts.
At the beginning of April 2020, another phishing campaign was recorded, the subject of the letter indicated “Office 365 voicemail”. The email said that to listen to the message, you need to click on the link, but if the victim clicked on the link, they were redirected to a phishing page masquerading as an Office 365 login page. The emails also came from several generated addresses that belonged to real subdomains of different departments of the University of Oxford.
"Access to corporate email can give hackers unlimited access to all the company's operations: transactions, financial reports, sending emails inside the company from a reliable source, passwords, and even addresses of the company's cloud assets. To carry out the attack, the hacker was able to access the servers of Samsung and Oxford, which means that he understood their internal workings, this allowed him to remain unnoticed," said Lotem Finkelstin, a leading expert in threat analysis at Check Point.
Check Point informed the University of Oxford, Adobe, and Samsung of its findings.
Experts advise Office 365 users to use different passwords for the cloud app, this can protect accounts if one of them is hacked. In addition, it is recommended to use security solutions for mail and for clouds and not enter credentials when clicking on suspicious links.