Microsoft Office 365 is becoming the core of many businesses. And hackers have noticed

guest · Aug 7, 2020

Microsoft Office 365 is becoming the core of many businesses. And hackers have noticed
As cloud-based services become the key to many business operations, hackers are refocusing their aim
August 7, 2020
https://www.zdnet.com/article/micro...-of-many-businesses-and-hackers-have-noticed/

As the use of Microsoft's Office 365 grows – encompassing services including Exchange, Teams, SharePoint, OneDrive and more –the sheer amount of data stored in the cloud is proving to be a tempting target for some of the most sophisticated hacking operations in the world, according to cybersecurity researchers at FireEye Mandiant.

"The amount of data in Office 365 is just huge and attackers are obviously interested in data. But also they can now access that data from pretty much anywhere in the world," Doug Bientock, principal consultant at Mandiant told ZDNet, ahead of the research being presented at the Black Hat USA security virtual conference.
"Office 365 is also a gateway for organisations to access other applications as a single sign-on platform," Bienstock explained.
Click to expand...

It's believed that a significant majority of – if not all – state-backed advanced persistent threat (APT) groups are interested in deploying this kind of attack, but one that definitely has is APT35, a hacking operation working out of Iran, which Madeley described as "notorious" for exploiting cloud services to gain access to the sensitive information it wants to see.

"They'll gain access to your Office 365 environment then use the security tooling to search the contents of every mailbox, every Teams chat, every SharePoint document," he explained.
Click to expand...

guest · Aug 7, 2020

Hack involving Microsoft Office 365 accounts
Scholarship America Provides Notice Of Data Security Incident
August 6, 2020
https://www.prnewswire.com/news-rel...tice-of-data-security-incident-301108112.html

Scholarship America, a nonprofit organization that manages scholarship and tuition assistance programs for different organizations, is providing notice to individuals impacted by the exposure of certain personal information.

On or about April 28, 2020, Scholarship America's internal IT security processes detected suspicious activity within its email system which triggered security protocols. Upon discovery, Scholarship America took immediate action to shut down unauthorized access and remediate the problem.
The investigation confirmed that the impact of this incident was limited to certain Microsoft Office 365 email accounts, and that no other systems or servers within the Scholarship America IT network were impacted, including where student applications and program information are stored.
Click to expand...

guest · Oct 13, 2020

Office 365: A Favorite for Cyberattack Persistence
October 13, 2020
https://threatpost.com/office-365-persistent-cyberattacks/160010/

Threat actors are consistently leveraging legitimate services and tools from within Microsoft Office 365 to pilfer sensitive data and launch phishing, ransomware, and other attacks across corporate networks from a persistent position inside the cloud-based suite, new research has found.

Office 365 user account takeover – particularly during the COVID-19 pandemic with so many working from home – is one of the most effective ways for an attacker to gain a foothold in an organization’s network, said Chris Morales, head of security analytics at Vectra AI.
From there, attackers can move laterally to launch attacks, something that researchers observed in 96 percent of the 4 million Office 365 customers sampled between June to August 2020. The company revealed the findings of this research in a 2020 Spotlight Report, released Tuesday.

“We expect this trend to magnify in the months ahead,” Morales said in an email interview with Threatpost.
Click to expand...

Cybercriminal Tactics
Researchers found three key features of the suite that attackers exploit to take over accounts and go on to perform a variety of attacks: OAuth, Power Automate and eDiscovery.

“OAuth is used for establishing a foothold, Power Automate is used for command and control and lateral movement, and eDiscovery is used for reconnaissance and exfiltration,” Morales told Threatpost.
Click to expand...

guest · Oct 26, 2020

Attackers finding new ways to exploit and bypass Office 365 defenses
October 26, 2020
https://www.helpnetsecurity.com/2020/10/26/exploit-and-bypass-office-365-defenses/

Over the six-month period from March to August 2020, over 925,000 malicious emails managed to bypass Office 365 defenses and well-known secure email gateways (SEGs), an Area 1 Security study reveals.
How criminals bypass Office 365 defenses
Attackers increasingly use highly sophisticated, targeted campaigns like business email compromise to evade traditional email defenses, which are based on already-known threats.

Attackers also often use Microsoft’s own tools and branding to bypass legacy defenses and email authentication (DMARC, SPF, DKIM).
In one example where a customer layered Office 365 with an SEG, more than 300,000 malicious messages were still missed [...]
Click to expand...

While Microsoft continues to make Office 365 security improvements and can even exceed the best anti-spam and antivirus providers, cyber threat actors have evolved accordingly. For example, Area 1 has intercepted a number of credential harvesting phish exploiting cloud tools like Microsoft SharePoint and Microsoft Planner.
Attackers adopting cloud suites to launch phishing campaigns
As noted in the Gartner 2020 Market Guide for Email Security,

“As organizations move to cloud email, it’s easier for attackers to target users with phishing attacks posing as log-in screens in order to harvest credentials. They then use those credentials to launch further account-takeover-based attacks that can include other collaboration tools. Organizations need to ensure that both internal and external email is secured as well as collaboration tools that are being used.”
Click to expand...

guest · Nov 18, 2020

Office 365 phishing campaign detects sandboxes to evade detection
November 17, 2020
https://www.bleepingcomputer.com/ne...ampaign-detects-sandboxes-to-evade-detection/

Microsoft is tracking an ongoing Office 365 phishing campaign that makes use of several methods to evade automated analysis in attacks against enterprise targets.

"We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering," Microsoft said.
Custom subdomains and automated redirection to legitimate domains
One of the evasion tactics utilized in this credential theft attack is the use of redirector URLs with the capability to detect incoming connections from sandbox environments commonly used by security researchers to gain more info about the attack.

This allows the phishers to make sure that their phishing pages will only be visited by real users, thus drastically lowering the chance of getting their attacks blocked and increasing the odds of real people being lured to their phishing sites.
Click to expand...

Innovative evasion tactics
Earlier this month another Office 365 phishing campaign was detected while inverting images used as backgrounds for landing pages to avoid getting flagged as malicious by web crawling engines used to spot phishing sites.
The phishing kit designed to use that novel tactic automatically reverts the backgrounds using Cascading Style Sheets (CSS) to revert to the original backgrounds of the Office 365 login pages they're trying to mimic.
Click to expand...

guest · Dec 8, 2020

Spearphishing Attack Spoofs Microsoft.com to Target 200M Office 365 Users
December 8, 2020
https://threatpost.com/spearphishing-attack-spoofs-microsoft-office-365/162001/

A spearphishing attack is spoofing Microsoft.com to target 200 million Microsoft Office 365 users in a number of key vertical markets, including financial services, healthcare, manufacturing and utility providers.

Researchers at Ironscales discovered the campaign targeting several thousand mailboxes at nearly 100 of the email security firm’s customers, Lomy Ovadia, Ironscales vice president of research and development, said in a report posted online Monday. Other industries being targeted including telecom and insurance companies, he said.
Click to expand...

The attack is comprised of a realistic-looking email that attempts to persuade users to take advantage of a relatively new Office 365 capability that allows for them to reclaim emails that have been accidentally marked as spam or phishing messages, according to the report. The messages come from sender “Microsoft Outlook.”
Click to expand...

Ironscales: Microsoft O365 Fails to Block Spoofed Emails Sent from Microsoft.com

The 200 million Microsoft Office 365 (O365) users worldwide are now being targeted by a new global spear-phishing attack spoofing Microsoft.com. Two weeks ago, IRONSCALES researchers first identified what we can now confirm to be a well-coordinated email spoofing campaign targeting O365 users particularly within the financial services, healthcare, insurance, manufacturing, utilities, and telecom industries, among others.

Specifically, the fraudulent message is composed of urgent and somewhat fear-inducing language intended to convince users to click on what is a malicious link without hesitation.
Click to expand...

guest · Dec 16, 2020

Microsoft Office 365 Credentials Under Attack By Fax ‘Alert’ Emails
December 14, 2020
https://threatpost.com/microsoft-office-365-credentials-attack-fax/162232/

Researchers are warning of a coordinated phishing attack that targeted “numerous” enterprise organizations last week.

The attackers behind the attack leveraged hundreds of compromised, legitimate email accounts in order to target organizations with emails, which pretended to be document delivery notifications. In reality, the phishing attack stole victims’ Office 365 credentials.

“The widespread use of hundreds of compromised accounts and never-seen-before URLs indicate the campaign is designed to bypass traditional threat intelligence solutions accustomed to permitting known but compromised accounts into the inbox,” said researchers with Abnormal Security, in a Monday analysis.
Click to expand...

Here, “the attacker attempts to legitimize the campaign with official-looking landing pages similar to those used by eFax,” said researchers.
Click to expand...

Abnormal Security: Widespread ‘Doc(s) Delivery’ Spear-Phishing Campaign Targets Enterprises with Hundreds of Compromised Accounts

If the employee clicks “View Documents” on the landing page, they are taken to a credential phishing page that attempts to steal their O365 credentials.
As noted above, the attackers are using more than one landing page template in an attempt to steal credentials.

The volume, recency and spread of phishing attempts across numerous employees and organizations indicates the attackers are determined in their efforts.
Click to expand...

guest · Aug 4, 2021

Microsoft Warns of 'Crafty' Phishing Campaign
August 2, 2021
https://www.darkreading.com/threat-intelligence/microsoft-warns-of-crafty-phishing-campaign

Microsoft has warned of an active phishing campaign targeting Office 365 users with a "crafty combination" of techniques aimed at bypassing email filters.

The attack uses legitimate-looking original sender email addresses, spoofed display sender addresses that contain target usernames and domains, and display names that mimic legitimate services to slip past defenses, Microsoft Security Intelligence wrote in a Twitter thread.
Click to expand...

The malicious emails have two URLs with malformed HTTP headers. One, the primary phishing URL, is a Google storage resource that redirects the victim to an AppSpot domain, which requires them to log in before presenting them with another Google User Content domain that has an Office 365 phishing page. A second URL, located in the notification settings, redirects to a compromised SharePoint site, which Microsoft says adds legitimacy to this campaign.

"Both URLs require sign-in to continue to the final page, bypassing many sandboxes," officials write.

Read Microsoft Security Intelligence's full thread for more details.
Click to expand...

guest · Aug 12, 2021

New one-click button will flag dodgy emails directly to cyber experts
August 12, 2021
https://news.sky.com/story/new-one-...dgy-emails-directly-to-cyber-experts-12379104

People could already forward scams to the NCSC's Suspicious Email Reporting Service (SERS), but it is hoped the ease of a single button will encourage more widespread use.

The cybersecurity division of GCHQ has published guidance on how company IT departments can add the button to Outlook on Microsoft 365.
Click to expand...

Among the most common types of phishing seen are employees being tricked into downloading malware that looks like it comes from IT support, clone login pages stealing personal details, and emails containing fake alerts from common workplace software.

Dr Ian Levy, the NCSC's technical director, said: "The pandemic has shown the cybercriminals will stop at nothing to attack and defraud citizens and businesses.

"But our Suspicious Email Reporting Service has also shown that the British public can help us fight back against this scourge.
"This new reporting button makes it easy for businesses using Microsoft 365 to enable their staff to report dodgy looking emails and further help combat cyber crime.
Click to expand...

NCSC: Email innovation simplifies takedown of cyber scams

Scam emails can be sent directly to SERS via a new button organisations can add to their Microsoft Office 365 accounts.

One single click will flag scam emails to the National Cyber Security Centre

Latest innovation in campaign that has received 6.5 million reports from the public and removed over 50,000 online scams

Cloned login pages, spoofs of enterprise software and tricks to download malware bring cyber crime to the workplace.

Click to expand...

NCSC: Configuring Office 365's 'Report Phishing' add-in for Outlook to use SERS

How to report emails to the NCSC's Suspicious Email Reporting Service (SERS) using Office 365's 'Report Phishing' add-in for Outlook.
This guidance describes how to configure the Office 365 'Report Phishing' add-in for Outlook, so that users can report suspicious emails to the NCSC's Suspicious Email Reporting Service (SERS).
Click to expand...

guest · Aug 16, 2021

Microsoft: Evasive Office 365 phishing campaign active since July 2020
August 12, 2021
https://www.bleepingcomputer.com/ne...365-phishing-campaign-active-since-july-2020/

Microsoft says that a year-long and highly evasive spear-phishing campaign has targeted Office 365 customers in multiple waves of attacks starting with July 2020.

The ongoing phishing campaign lures targets into handing over their Office 365 credentials using invoice-themed XLS.HTML attachments and various information about the potential victims, such as email addresses and company logos.

other information like IP address and location, which attackers use as the initial entry point for later infiltration attempts," the Microsoft 365 Defender Threat Intelligence Team explained.
Click to expand...

Continuously evolving evasion tactics
However, this series of attacks stand out from others through the attackers' continuous efforts to obfuscate their phishing emails to circumvent email security solutions.

"In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions," Microsoft added.
Click to expand...

Microsoft: Attackers use Morse code, other encryption methods in evasive phishing campaign

In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show.
Use of Morse code
In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.
Use of encoding “wrapper”
While earlier iterations of this campaign use multiple encoding mechanisms by segment, we have observed a couple of recent waves that added one or more layers of encoding to “wrap” the entire HTML attachment itself.
Click to expand...

stapp · Aug 13, 2021

Just goes to show that even old ways of communication (morse code) can be used for encryption.

guest · Oct 11, 2021

Microsoft: Iran-linked hackers breached Office 365 customer accounts
October 11, 2021
https://therecord.media/microsoft-iran-linked-hackers-breached-office-365-customer-accounts/

Microsoft said today that a new Iran-linked hacking group has targeted more than 250 Office 365 tenants and compromised accounts for less than 20.
The attacks, which the company disclosed today in a security alert, have been carried out via password spraying, a technique where hackers try the same password over and over again—while rotating the username.

The Redmond-based software company said the attacks were carried out by a new group the company is now tracking as DEV-0343, but which they linked to Iran because of similarities in offensive techniques, targeting, and other patterns.
Click to expand...

Microsoft said the group’s attacks, which are still ongoing, have “a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.”
To enumerate accounts, hackers abuse two Exchange email server features (Autodiscover and ActiveSync), Microsoft said.

“On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization,” the OS maker explained.
Click to expand...

Microsoft has released indicators of compromise and instructions for Office 365 tenants on how to find past attacks in their logs and determine what accounts were compromised.
Click to expand...

guest · Oct 23, 2021

TodayZoo Phishing Kit Used to Swipe Microsoft Credentials
October 22, 2021
https://duo.com/decipher/todayzoo-phishing-kit-used-to-swipe-microsoft-credentials

Attackers behind an extensive phishing campaign utilized a partially recycled phishing kit in order to target victims' Microsoft credentials. The campaign illustrates the diverse ways cybercriminals are leveraging phishing kits - from renting them to building their own customized versions, said researchers with Microsoft.

TodayZoo, so-called due to its “curious” use of these words in its credential harvesting component, was first observed in December 2020, and since then has been utilized in several phishing attacks that aim at stealing victims’ Microsoft 365 account credentials, according to the Microsoft 365 Defender Threat Intelligence Team on Thursday.

“Our prior research on phishing kits told us TodayZoo contained large pieces of code copied from widely circulated ones,” according to Microsoft researchers. “The copied code segments even have the comment markers, dead links, and other holdovers from the previous kits.”
Click to expand...

Upon further inspection, researchers tied TodayZoo to a code block called DanceVida, which many other phishing kits have leveraged. TodayZoo’s implementations matched 30 to 35 percent of the larger superset of kits referencing DanceVida, such as a similar phishing kit called “Office-RD117” that shared several components.

“They put these functionalities together in a customized kit and try to reap the benefits all to themselves.”
Click to expand...

Microsoft: Franken-phish: TodayZoo built from other phishing kits

Our analysis of its phishing page artifacts, redirection routines, and domain generation algorithm (DGA) methods for the initial sites helps ensure Microsoft Defender for Office 365 effectively protect customers from the said campaigns.

This blog post details some of the technical aspects of a phishing campaign based on the TodayZoo kit. It also provides information about “DanceVida,” a potential parent family of kits based on a shared resource link, and how it and other historical patterns figure in TodayZoo’s code structure.
Click to expand...

guest · Oct 27, 2021

Scammers are emailing waves of unsolicited QR codes, aiming to steal Microsoft users' passwords
October 26, 2021
https://www.cyberscoop.com/qr-code-phishing-scam/

Email fraudsters are seizing on the attention around the quick response codes that have become more common in restaurants and stories, leveraging QR codes try to steal users’ Microsoft credentials and other data.

The latest campaign, uncovered Tuesday by the email security company Abnormal, leveraged compromised email accounts in order to bypass standard security screening, then target nearly 200 email accounts between Sept. 15 and Oct. 13, 2021.
The operation is the latest example of QR code-enabled phishing, with warnings about “QRishing” or “quishing” dating back to at least 2012. The Better Business Bureau warned of such scams this summer, and the Army Criminal Investigation Command’s Major Cybercrime Unit warned of potential problems in March.
Click to expand...

An earlier version of the effort unveiled Tuesday embedded a malicious link behind what looked like a voicemail .WAV file. When that link was flagged by security screening services, attackers then switched to a QR code to redirect a victim to a credential harvesting page. The research did not identify the attackers behind the campaign.

A message below the QR code instructed the victim to scan it to “enable you to listen to encrypted Voicemail.” That then led to a fake Microsoft landing page that prompted the victim to enter their email and password in order to play the message.
Click to expand...

Rachelle Chouinard, a threat intelligence analyst at Abnormal, noted that the campaign was a bit clunky.
It would require the victim to open the email on their computer and then use their phone’s camera to scan the QR code, which would then take them to the fake Microsoft login page to harvest a user’s credentials.

“Does this actor expect them to go back and open it on their computer? Or send the email to the printer? Use another phone? At what point does the victim begin to suspect a scam?” Chouinard wrote.
Click to expand...

guest · Nov 1, 2021

Kaspersky's stolen Amazon SES token used in Office 365 phishing
November 1, 2021
https://www.bleepingcomputer.com/ne...amazon-ses-token-used-in-office-365-phishing/

Kaspersky said today that a legitimate Amazon Simple Email Service (SES) token issued to a third-party contractor was recently used by threat actors behind a spear-phishing campaign targeting Office 365 users.

Amazon SES is a scalable email service designed to allow developers to send emails from any app for various use cases, including marketing and mass email communications.
Kaspersky security experts linked the phishing attempts to multiple cybercriminals who used two phishing kits in this campaign, one known as Iamtheboss and another named MIRCBOOT.
Click to expand...

No servers compromised
"This access token was issued to a third party contractor during the testing of the website 2050.earth," Kaspersky explained in an advisory issued today, the first of its kind issued by the Russian cybersecurity firm in the last six years.

The threat actors did not attempt to impersonate Kaspersky and decided to camouflage their phishing messages as missed fax notifications, redirecting potential victims to phishing landing pages designed to harvest their Microsoft credentials.

"The phishing e-mails are usually arriving in the form of 'Fax notifications' and lure users to fake websites collecting credentials for Microsoft online services," Kaspersky added.
Click to expand...

guest · Nov 11, 2021

Tiny Font Size Fools Email Filters in BEC Phishing
November 11, 2021
https://threatpost.com/tiny-font-size-email-filters-bec-phishing/176198/

A new business email compromise (BEC) campaign targeting Microsoft 365 users is using a range of sophisticated obfuscation tactics within phishing emails that can fool natural language processing filters and are undetectable to end users.

Researchers at Avanan, a CheckPoint company, first discovered the campaign – dubbed One Font because of the way it hides text in a one-point font size within messages – in September.
Click to expand...

Attackers also are hiding links within the cascading style sheets (CSS) in their phishing emails: another tactic that serves to confuse natural language filters like Microsoft’s Natural Language Processing (NLP), researchers said in a report posted online Thursday.

The One Font campaign also includes messages with links coded within the <font> tag, which – in combination with the other obfuscation techniques – also destroy the effectiveness of email filters that depend on natural language for their analysis, according to Jeremy Fuchs, a cybersecurity researcher at Avanan.

“This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing,” Fuchs wrote. “Natural language filters see random text; human readers see what the attackers want them to see.”
Click to expand...

Avanan: The OneFont Attack: Manipulation and Obfuscation

In 2018, Avanan researchers discovered the ZeroFont phishing technique, whereby hackers insert hidden words, all with a font size of zero, that is invisible to the recipient but fool Microsoft’s Natural Language Processing. Further, over the last number of years, Avanan analysts have noticed and written about a number of new obfuscation tactics.
Click to expand...

guest · Aug 19, 2022

Russian APT29 hackers abuse Azure services to hack Microsoft 365 users
August 19, 2022

The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022, targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information.

Microsoft 365 is a cloud-based productivity suite predominately used by business and enterprise entities, facilitating collaboration, communication, data storage, email, office, and more.
Click to expand...

Mandiant, who has been tracking the activities of Cozy Bear (aka APT29 and Nobelium), reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.
In a report published today, Mandiant highlights some of APT29's advanced tactics and some of their newest TTPs (tactics, techniques, and procedures).
Focusing on Microsoft 365
Microsoft 365 users on a higher-grade E5 license enjoy a security feature named "Purview Audit" (formerly Advanced Audit). When enabled, this feature logs user agents, IP addresses, timestamps, and usernames each time an email is accessed independently of the program (Outlook, browser, Graph API).

"This is a critical log source to determine if a threat actor is accessing a particular mailbox, as well as to determine the scope of exposure," warns Mandiant in an APT 29 whitepaper.
Click to expand...

Mandiant's second interesting finding is APT29 taking advantage of the self-enrollment process for multi-factor authentication (MFA) in Azure Active Directory (AD).
The Russian hackers performed brute force attacks on usernames and passwords of accounts that had never logged into the domain and enrolled their devices in MFA.

Finally, Mandiant observed the threat group using Azure Virtual Machines via compromised accounts or by purchasing the service to hide their trace.
Click to expand...

Mandiant: You Can’t Audit Me: APT29 Continues Targeting Microsoft 365

Mandiant has observed APT29 continue to demonstrate exceptional operational security and advanced tactics targeting Microsoft 365. We are highlighting several newer TTPs used by APT29 in recent operations.
Click to expand...

guest · Sep 3, 2022

Unusual Microsoft 365 Phishing Campaign Spoofs eFax Via Compromised Dynamics Voice Account
By Elizabeth Montalbano - August 24, 2022

In a widespread campaign, threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials.
An elaborate and rather unusual phishing campaign is spoofing eFax notifications and using a compromised Dynamics 365 Customer Voice business account to lure victims into giving up their credentials via microsoft.com pages.

Threat actors have hit dozens of companies through the broadly disseminated campaign, which is targeting Microsoft 365 users from a diverse range of sectors — including energy, financial services, commercial real estate, food, manufacturing, and even furniture-making, researchers from the Cofense Phishing Defense Center (PDC) revealed in a blog post published Wednesday.
The campaign uses a combination of common and unusual tactics to lure users into clicking on a page that appears to lead them to a customer feedback survey for an eFax service, but instead steals their credentials.
Click to expand...

Attackers impersonate not only eFax but also Microsoft by using content hosted on multiple microsoft.com pages in several stages of the multistage effort. The scam is one of a number of phishing campaigns that Cofense has observed since spring that use a similar tactic, says Joseph Gallop, intelligence analysis manager at Cofense.
Combination of Tactics
The phishing emails use a conventional lure, claiming the recipient has received a 10-page corporate eFax that demands his or her attention. But things diverge from the beaten path after that, Cofense PDC's Nathaniel Sagibanda explained in the Wednesday post.

The plot thickens even further down in the message, which contains a footer indicating that it was a survey site — such as those used to provide customer feedback — that generated the message, according to the post.
Click to expand...

Mimicking a Customer Survey
When users click the link, they are directed to a convincing imitation of an eFax solution page rendered by a Microsoft Dynamics 365 page that's been compromised by attackers, researchers said. [...]
Click to expand...

Cofense: Compromised Microsoft Dynamic 365 Customer Voice account used for Phishing attack

guest · Feb 2, 2023

Hackers weaponize Microsoft Visual Studio add-ins to push malware
By Bill Toulas @billtoulas - February 2, 2023

Security researchers warn that hackers may start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins.
Click to expand...

The technique is an alternative to sneaking into documents VBA macros that fetch malware from an external source.
However, using VSTO introduce an attack vector that allows building .NET-based malware and embedding it into the Office add-in.

Security researchers at Deep Instinct discovered multiple such attacks recently and believe that skillful hackers are increasingly adopting the method.
Although VSTO-based attacks are not new, they are a rare occurrence and have not been too much of a concern for the infosec community.
Click to expand...

Attacking with VSTO
VSTO is a software development kit, part of Microsoft's Visual Studio IDE. It is used to build VSTO add-ins, which are extensions for Office applications that can execute code on the machine.

These add-ins can be packaged with the document files or downloaded from a remote location and are executed when launching the document with the associated Office app (e.g. Word, Excel)
Threat actors prefer using the local VSTO approach, which does not require bypassing trust-related security mechanisms to execute the add-in code. However, Deep Instinct noticed some attacks using remote VSTO add-ins.
Click to expand...

To show how VSTO could help an attacker deliver and execute malware, as well as achieve persistence on the machine, the researchers created a proof-of-concept (PoC) with a Meterpreter payload. Apart from the payload, which was purposefully selected to be highly detectable, all the components of the PoC flew under Window Defender's radar.
Click to expand...

Deep Instinct: No Macro? No Worries. VSTO Being Weaponized by Threat Actors

By Shaul Vilkomir-Preisman - February 1, 2023
Office Visual Basic for Applications (VBA) macros have been a core tool in most threat actors’ arsenals for decades.

This threat landscape prominence has recently been stifled by Microsoft’s long-awaited decision to block-by-default any VBA macro in Office files bearing the mark-of-the-web (indicating that the file did not originate from the local machine). This significantly reduced this attack surface and forced threat actors to adapt and explore alternative attack vectors.
Click to expand...

Another such example is Visual Studio Tools for Office (VSTO). Below we explore some “in-the-wild” examples of how VSTO can become a significant attack vector.
Click to expand...

Log in or Sign up

Microsoft Office 365 is becoming the core of many businesses. And hackers have noticed

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

stapp Global Moderator

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Microsoft Office 365 is becoming the core of many businesses. And hackers have noticed

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

stapp Global Moderator

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches