Microsoft 365 users saw a slew of phishing emails, thanks to an ongoing attack aiming at stealing Microsoft 365 credentials. To make the emails look more realistic and legitimate, attackers are adding a fake Google reCAPTCHA system in addition to their company logos in the mails. Security researchers indicate that over 2500 such emails have been unsuccessfully sent to senior-level employees in the banking and IT sector, over the past three months.
These phishing emails first take the receiver to a fake Google reCAPTCHA page upon clicking a link in the mail. Once the recipient take the test, they are redirected to a bogus landing page from where their Microsoft 365 credentials are stolen. Another common method that attackers seem to apply is by sending senior members of an organization, emails about voicemail attachment. The modus operandi is similar in such attacks too.
Researchers are concerned that attackers are putting more work in to making the phishing attack look more legitimate and the landing pages fit the victim profile. The attacks are also targeting senior business leaders increasingly as such people have the most privileges and access to sensitive data.
Researchers also noted that, most phishing pages associated with the campaign were hosted using generic top level domains such as .xyz, .reset and .online. These domains are usually used by cybercriminals in spam and phishing attacks owing to its cheap availability
In an analysis carried out by the National Institute of Standards and Technology (NIST) on common vulnerabilities and exposures, it has been found that 2020 holds the record for the highest reports of security loopholes than any other year to date.
The report shows that, in the year 2020 alone, as much as 18,103 vulnerabilities were reported with almost 10,342 of them classified as high or critical in urgency. It is worth nothing that the number of critical bugs discovered in 2020 outnumbered the sum total of vulnerabilities disclosed in 2010.NIST added that over 68% of the CVE’s that were reported did not require any user interaction to be exploited.
The number of attack vectors that don’t require any user privileges dropped 13% in four years and stands at 58%. However, the number of vulnerabilities that require high-level privileges has been on the rise. This means that cybercriminals are resorting to age-old attacks like phishing.Alarmingly, out of all the CVE’s that were reported, around 4000 of them were deemed extremely critical as they did not require any privileges or user interaction to be exploited.
In a recent announcement, Microsoft said that certain subscribers to the Microsoft Defender for Microsoft 365 service can now access a new “attack simulation training” feature. The feature first introduced at the RSA conference last year has finally been made available to customers. The feature is a result of Microsoft collaborating with Terranova Security in an attempt to keep phishing attempts at check.
This feature serves as an upgrade to the preexisting attack simulation tool that was built into Microsoft 365. The advancement now includes the ability for IT departments to set up the delivery of simulated phishing e-mails in an organization and get information on end user responses to them.The tool is also equipped to provide administrators with detailed stats such as success rates and probability of users falling for a phishing attempt. Microsoft also added that the attack simulation feature will be available only to Microsoft 365 premium tier users. Microsoft 365 E3 uses will only get a limited period trial version of the feature. With the feature out in the open, administrators can finally educate users about phishing attacks and how one can spot them before they wreak havoc.