Blog

This Type of Phishing Attempt is Especially Damaging

Written by Brendan B | July 24, 2019 6:22:16 PM Z

There is one particular group of Office 365 users who are a gold mine to hackers. They are the people in your organization with admin credentials.

Hackers target admins because they hold the keys to your network's kingdom. A hacker who gains admin access can create new accounts, send mail as other users (like top executives) and read other user's emails (like the people working in accounting who have access to sensitive financial information.)

Because breaching an admin account is so valuable, hackers spend a lot of time and effort cooking up new ways to try and fool them. The Office 365 admins in your company need to be on the alert that they are a primary target!

What do some admin account phishing attempts look like?

One attempt hackers use to gain admin credentials is to create a spoof campaign that looks like an admin alert. These alerts usually make themselves out to be "urgent" and requiring "immediate attention." They will usually mention a problem with mail service delivery or (ironically) warn of "unauthorized access."

Here's an Office 365 Phishing Attempt (courtesy of Bleeping Computer) that was sent to admins.

 

Notice that this spoof appears to come from Microsoft and is alerting administrators that Office 365 Licenses have expired. Of course, it wants the admin to login and check payment information.

Here's another example: in the above phishing attempt, the admin is being alerted that someone has gained access to another user's email account and prompts the admin to "Investigate" by clicking the link (Don't click the link!).

Let's imagine the hacker is able to gain access to an admin account, they can then follow-up with phishing emails sent from the admin to anyone in the organization. As seen below in this example from McGill IT.

 

In this phishing attempt, users are told they have not one--but two important unread messages from the admin team and can "Click on review" to read them.

What happens if you click the malicious links?

When these bad links are clicked, they often lead to a fake Microsoft landing page that asks users to re-enter their login credentials. Once those creds are compromised the hacker can go anywhere they want.

Hackers will even use Azure and windows.net domains to try and make their spoofed pages look as legit as possible, so just because the domain appears legit, does not mean the message is real.

What common mistakes do businesses make when it comes to admin phishing attempts?

Here are three common issues we often see when companies fall victim to a dangerous admin breach.

1. The person has been made an admin by mistake or they were not properly trained to be an admin on the account.

2. There was no MFA (multi-factor authentication) set-up to further protect the admin account.

3. There was not sufficient IT support provided to be able to verify the information in the email is false (like a license expiration alert) or to investigate the true origin of the message and landing pages before credentials were given.

If you or someone you know is an Office 365 admin for your company, be aware that admins are prime targets for hackers. Educate yourself on the most recent types of phishing attacks, and never click a link or provide your admin credentials without double and even triple-checking the legitimacy or the sender and site requesting it.

If your business needs 24 hour Office 365 monitoring, admin education, and responsive network backup and support, learn more about us today.