Office 365 phishing scam uses Google Ad domains to bypass security

Google Ad Services redirection allows this phishing campaign to bypass secure email gateways.

Cofense researchers Phishing Defense Center (PDC) have discovered a new phishing campaign that attempts to steal the login credentials of Office 365 users by to accept a new terms of use and privacy policy.

This campaign has been observed across multiple organizations and uses a number of advanced techniques, including a Google Ad Services redirect, to try to steal employees’ credentials.

Targeted users first receive a high-priority email that has the subject line “Recent Policy Change.” The email also comes from an address that contains the word security to create a sense of urgency. The body of the email asks users to accept the recently updated “Terms of Use and Privacy Policy”, otherwise they may no longer be able to use the service.

Google Ad Services redirection

To ensure that users click on their phishing email, the attackers have a Google Ad Services redirection suggests that they may have paid to have their URL authorized source to go. This also helps to get the emails from the campaign easy to bypass secure email gateways provided by organizations used to prevent phishing attacks and other online scams.

As soon as a user is redirected to Microsoft’s fake login page, they’ll see a pop-up of the privacy policy mentioned in the email. This window also includes both a Microsoft logo and the user’s company logo to make it appear more legitimate. The “updated privacy policy” mentioned in the email also comes directly from Microsoft’s website.

After the updated policy is accepted, the user is redirected again to a Microsoft login page that pretends to be the official Office 365 login page. If an employee enters their credentials on this page and clicks “Next”, cyber criminals have their Microsoft credentials and their account has been hacked.

To make users think that they not only have entered their login details, another box with the text “We have updated our terms” with a button “Finish” under this post.

This phishing campaign uses many clever tricks to steal users’ login credentials. Therefore, users should be extra careful when opening emails that appear to come directly from an official source and ask them to log in to one of their accounts.

Source: Tech Radar

Published on
Aug 4, 2020

Certified Office 365 experts

De oplossingen van Microsoft zijn al decennia lang toonaangevend als het gaat om productiviteit, presentatie en e-mail. Voor Office 365 zijn deze bekende producten doorontwikkeld om uw organisatie sneller en efficiënter te laten werken. 

Microsoft biedt u naast de oplossingen uit de Microsoft 365 suite de cloudversies van Microsoft Exchange Online, Microsoft SharePoint Online en Microsoft Teams. Deze diensten werken naadloos samen en zorgen voor maximaal gebruiksgemak op zowel pc’s, tablets, smartphones en browsers.

We leveren de nodige expertise om over deze diensten te kunnen beschikken en daarnaast de bedrijfsprocessen door middel van software te optimaliseren.