The Microsoft Office 365 users have been targeted by a new phishing campaign with a new change in terms and policies.
Cofense Phishing Defense Center (PDC) researchers found a campaign that tries to steal users' login credentials by sending them a seemingly highly important email with "Recent Policy Change" written on the subject line. According to Tech Radar, the campaign has been seen in various organizations, using advanced techniques to trick users and steal their login credentials.
Targeted users are urged to accept a new Terms of Use and Privacy Policy to continue using the services. Having the word "security" in the sender's email address makes it quite believable and creates a sense of urgency.
Within the email, users are provided with two buttons: Accept and Learn More. If users clicked on either button, they are redirected to a duplicate of the authentic Microsoft login page where users would enter their login credentials, which are then stolen by cybercriminals.
Read also: Online Security Tips While Working Remotely during Coronavirus Quarantine
Google Ad redirect trick
One of the tools used in the recent phishing attack is the Google Ad Services redirect to trick users to click on the phishing email.
The use of a Google Ad Services redirect suggests that attackers may have paid Google to have their URL go through an authorized source while these emails easily bypass secure email gateways used by organizations to prevent online attacks and phishing campaigns.
After reaching the fake Microsoft login page, users are presented with a pop-up message about the new privacy policy. It contains both a Microsoft logo as well as the user's company's logo that increases the legitimacy of the email, which shows the 'updated privacy policy' taken directly from Microsoft's website.
Once users accepted the updated policy, they will be redirected again to a Microsoft login page that copied Office 365's official login page. If they have entered their credentials and clicked the "Next" button, attackers will get their Microsoft credentials and have their accounts compromised.
Meanwhile, another message will pop up saying "We've updated our terms" with a "Finish" button. Thus, users will not suspect their accounts have just been compromised with their credentials phished.
Read also: Cyber Warfare And The Future Of Cyber Security
How to protect your Office 365 account from phishing
The cybercriminals who launched this phishing attack were just clever enough to use different tricks to try and steal users' account information. This is why users should be extra cautious when opening emails that ask them to log in to their accounts.
Microsoft 365 is protected by some anti-phishing protection. However, users can tweak the settings to increase their account protection. Here is how to do it:
1. Launch your browser and go to https://admin.microsoft.com. Choose Security, Threat Management, Policy, then ATP Anti-phishing.
2. Click on the Default Policy to update it.
3. Go to Impersonation and click Edit.
4. Select Add domains to protect and click on the toggle to include the domains you own automatically.
5. Choose Actions, then click on the drop-down. Choose between If email is sent by an impersonated user and If email is sent by an impersonated domain option.
6. Select Turn on impersonation safety tips. You may choose whether tips should be provided to users when the system detects impersonated users, domains, or unusual characters. Click on Save.
7. Click on Mailbox intelligence and check if it is turned on to teach the email to be more efficient by learning usage patterns.
8. Choose to Add trusted senders and domains to add email addresses or domains that will not be classified as a phishing email or website.
9. Click Review your settings and make sure everything is correct before clicking Save and Close.