The crooks are trying to steal Microsoft 365 login credentials from people working in the US military, security software, manufacturing supply chain, healthcare and pharmaceutical companies with an elaborate phishing campaign that uses fake voicemail and web pages. Microsoft login logins.
Employees at these companies have been receiving fake email notifications in which they say that someone in their organization has sent them a voice message.
The email itself appears to come from within the company, but cloud security firm ZScaler has discovered that the real sender is actually abusing a Japanese email service to hide their address and true identity. (opens in new tab).
If the victim were to take the bait and click on the HTML attachment of the email, they would first be redirected to a CAPTCHA scan, the purpose of which is twofold – to avoid anti-phishing tools and to convince the victim of its legitimacy.
After the victim passes the captcha, they are redirected even further (opens in new tab) to the actual phishing site, a homepage that looks identical to the Microsoft 365 login page. This is where, if victims enter their credentials, they will share them with attackers.
Microsoft 365 accounts are in high demand among criminals as they offer a treasure trove of valuable information that can lead to devastating second-stage attacks. Crooks can use it to deploy malware (opens in new tab) and ransomware, install cryptominers on computing-powerful servers, and even mount highly destructive supply chain attacks.
The Solar Winds supply chain attack, which targeted US government agencies, institutions, and several high-profile tech companies, started with a compromised Microsoft 365 account.
In December 2020, a massive cyber espionage effort was discovered that tainted the software supply chain through a fraudulent SolarWinds software update. Pinned on state-sponsored Russian hackers, the hack was found to have affected nine federal agencies as well as many private sector companies.
There were several congressional hearings on the SolarWinds hack, and the incident also led to sanctions on several Russian cybersecurity companies. However, no one has been able to determine the true extent of the hack, in part because tracking down the threat actors has been quite challenging.
Through: BleepingComputer (opens in new tab)