Hackers are targeting Office 365 users in a multistage phishing campaign that attempts to gain access to accounts that can then be used to cause further damage within a targeted enterprise.

Uncovered in a report from Barracuda Networks Inc., the campaign starts by targeting Office 365 users with a typical phishing message that claims that their account has been suspended and they need to follow a link to fix the problem. Once clicking on the link, the victims are directed to a fake landing page, appearing to be the Office 365 site that asks them to enter their username and password for the account – stage one of the attack.

After gaining access to the Office 365 account, the hackers most commonly use the compromised account to launch a targeted spear phishing campaign within the victim’s own enterprise. Using the account, the hackers tailor custom messages to other employees inside the organization to attempt to collect additional credentials or gain other sensitive information.

Disturbingly in some cases, instead of simply using the compromised account to send further emails, the attackers set up email forwarding. That means that unless it’s specifically noticed, all emails sent to the victim are forwarded to the attackers, potentially delivering further private and sensitive corporate information.

Access to a compromised account could also have ramifications outside the enterprise. The report noted that an attacker impersonating an employee could use access to the email account to request a payment from a partner or customer, without the actual employee knowing that this has taken place.

“This is an evolution of spear phishing – we’re seeing more and more sophistication,” Asaf Cidon, a spear phishing expert at Barracuda, told Dark Reading. “A couple of years ago, cyberattackers primarily targeted executive employees. These new Office 365 threats are putting all employees at risk.”

What’s new, he added, is what happens after they get access to the accounts: “Threat actors can conduct several types of attacks after they gain a foothold in an organization.”

Given the potential severity of an attack of this kind, Barracuda recommends that enterprises using Office 365 implement user training and awareness strategies, including regular training and testing of employees; multifactor authentication, which is included with Office 365 but not always turned on; and finally the implementation of real-time spear phishing and general cyberfraud defense.

Photo: Raysonho/Wikimedia Commons