Office 365 Phishing Campaign Exploited Samsung, Adobe and Oxford University Servers
June 2020 by Check Point
Researchers at Check Point have exposed a sophisticated phishing campaign designed to harvest enterprise login credentials stored in Microsoft Office 365 accounts. To evade detection by security software, the campaign leveraged reputable web domain names to bypass security filters. In this case, the names were Oxford University, Adobe and Samsung.
Hackers hijacked Oxford University’s email server to send malicious emails to victims. The emails contained links that redirected to an Adobe server used by Samsung in the past, enabling hackers to leverage the façade of a legitimate Samsung domain to successfully trick victims. Ultimately, victims were led down a deceitful path to share their Office 365 log-in credentials and give hackers access to their email accounts.
In early April 2020, Check Point researchers began observing emails sent to victims titled “Office 365 Voice Mail”. The emails alleged that an incoming voice-message was waiting in a victim’s voice-portal, prompting users to click on a button that would allegedly take them to their Office 365 account to take further action. After the victims clicked the button, they were redirected to a phishing page masquerading as the Office 365 login page. Below is an example email:
Most of the emails came from multiple generated addresses belonging to legitimate subdomains from different departments at the University of Oxford. The email headers show that the hackers had found a way to abuse one of Oxford’s SMTP servers, an application with the primary purpose of sending, receiving and relaying outgoing mail between email senders and receivers. The use of legitimate Oxford SMTP servers enabled hackers to pass the reputation check required by security measures for the sender domain.
Redirections from Samsung’s Trusted URL
Over the past year, Google and Adobe open redirects have been used by phishing campaigns to add legitimacy to the URLs used in the spam emails. In this case, the links in the email redirected to an Adobe server previously used by Samsung during a 2018 Cyber Monday marketing campaign. This meant the link embedded in the original phishing email is part of the trusted Samsung domain stem – one that unknowingly redirects victims to a website hosted by the hackers. By using the specific Adobe Campaign link format and the legitimate domain, the attackers increased the chances for the email to bypass email security solutions based on reputation, blacklists and URL patterns.
Lotem Finkelsteen, Check Point’s Manager of Threat Intelligence said: “What first appeared to be a classic Office 365 phishing campaign, turned out to be a masterpiece strategy: using well-known and reputable brands to evade security products on the way to the victims. Nowadays, this is a top technique to establish a foothold within a corporate network.
“Access to corporate mail can allow hackers unlimited access to a company’s operations, such as transactions, finance reports, sending emails within the company from a reliable source, passwords and even addresses of a company’s cloud assets. To pull the attack off, the hacker had to gain access to Samsung and Oxford University servers, meaning he had time to understand their inner workings, allowing him to go unnoticed.”
Check Point has informed Oxford University, Adobe and Samsung of its findings.