As reported today by Help Net Security, hackers are targeting Microsoft Office365 administrators in a new phishing campaign that can obtain and confirm credentials in real time.  According to the article the attack begins with a fake Office365 notification where all the links in the message link back to fake Office365 sites at the windows.net domain. A script on the fake site checks the validity of the administrator’s credentials in real time via an IMAP connection back to the real Office365 portal. If the credentials authenticate successfully, the attackers download the entirety of the administrator’s mailbox via the IMAP connection completely undenounced to the administrator. Finally, the administrator is redirected to their actual MS Office365 Exchange Online mailbox.

This style of attack is particularly dangerous because the administrator’s email is exfiltrated in the background and can easily go completely unnoticed. Once complete the hackers have offline access to the email data indefinitely and can then data mine any useful information necessary to either further their campaign or monetize the data. It can also provide the hackers the ability to make further changes to victim organization’s Office365 tenant.

Avoiding this type of attack is relatively easy by conforming to industry best practices. As outlined in the article by Help Net Security;

  1. Enable multi factor authentication on all accounts.
  2. Disable the IMAP protocol on all mailboxes in your environment.
  3. Provide administrators two different Office365 accounts, one for daily use associated with their user account that does NOT have administrator privileges and one specifically for performing administrator functions.
  4. Do not have a mailbox associated with any administrator accounts.
  5. Be aware that the actual Office365 portal domain is microsoftonline.com not windows.net.