A newly discovered, widespread email phishing campaign hosted on Oracle Cloud and using Amazon Web Services (AWS) resources to steal Office 365 credentials from small and large businesses has been quietly operating in the U.S. and Australia for more than seven months, a new security report said.
The phishing emails are sent from legitimate but compromised Office 365 email accounts hijacked by an unidentified hacker, wrote Ofir Rozmann, a Mitiga threat intelligence and security expert, in a blog post. The phishing lures have targeted C-level executives at financial organizations and SMBs. “This email asks the targeted user to click a link for a voice mail message," Rozmann wrote. "Once the link was clicked, the user is redirected through several proxies, including AWS load balancers, all the way to a compromised website belonging to a genuine organization.”
Mitiga's analysis of the campaign began unexpectedly a few weeks ago when one of its employees received an email phishing for credentials.
Mitiga’s security team has rooted out roughly 40 websites belonging to SMBs that the threat actors have commandeered as part of their infrastructure proxy chain. The unsuspecting target ultimately lands on a fake Office 365 login page hosted on Oracle Cloud from which their credentials are exfiltrated to another hacked website. The AWS and Oracle infrastructure is controlled and operated directly by the threat actors, Rozmann said.
There are more serious ramifications of the scheme than stolen credentials. “It should go without saying that these compromised Office 365 credentials may be used as entry vectors for deeper access into the victim organization’s network, or used to conduct a Business Email Compromise (BEC) attack,” Roxmann wrote. "We have no indication that the phishing attempts targeting these email addresses were indeed successful, and that their credentials were in fact stolen. However, at least some email addresses were indeed compromised by the threat actor — the ones that were used to send the malicious emails."
The threat actors may have landed the phishing infrastructure from a phishing-as-a-platform service, based on Mitiga’s findings that suggest several subgroups have used the same infrastructure possibly procured from a central source. So far there’s no evidence that ties the campaign to a known cyber crime crew, Rosmann said.
Mitiga’s seven recommendations for organizations to safeguard against these attacks include:
- Enable two-factor authentication for Office 365 login.
- Enforce Office 365 password updates.
- Examine forwarding rules in email accounts.
- Search for hidden folders in email inboxes and messages in a different location than normal.
- Log changes to mailbox login and settings and keep the data for at least 90 days.
- Enable alerts for suspicious activity, such as unusual logins, and analyze server logs for abnormal email access.
- Consider simulating a similar attack scenario using a red team to test the phishing awareness of the organization.