Oxford and Samsung servers misused for Office 365 phishing campaigns

Microsoft users from the Middle East, Asia, and Europe targeted by hackers with phishing campaigns spread via hijacked Oxford University, Samsung, and Adobe servers

Oxford University, Samsung, and Adobe servers have been hijacked by hackers for spreading malicious emails to trick Microsoft Office 365 users into giving away their credentials. The targeted phishing campaign has been revealed by Check Point^[1] researchers back in April, though it did not seem to be standing out from the crowd at the time. 

However, it seems that users’ interest in Office 365 is significantly increasing. According to Microsoft’s FY20 Q1 results^[2], the platform has surpassed 200 million monthly active users and the number is steadily increasing. Thus, the Office 365 phishing campaign turned to have potential and many people might have already been tricked into disclosing their credentials to scammers. 

The Oxford University server hack is dubbed as “a masterpiece strategy” by Lotem Finkelsteen as it allows criminals to bypass victim’s security email filters and misled them into disclosing the Office 365 credentials without suspecting that. The hijacked Oxford’s server has been used as a mean to impersonate reliable email sender. The phishing email contains a voice message with a postscript ” You can an incoming voice-message in your voice portal,” which once clicked redirects the user to a phishing website – fake Office 365 login page. 

Sophisticated phishing emails bypass the reputation check to prove the legitimacy 

Check Point has been keeping an eye on the Office 365 phishing campaign for over two months^[3]. The company spotted a misleading missed voice message being pushed en masse on the 20th of April, especially targeting Europe, Asia, and Middle East email users. Statistically, 43% of these emails were sent to the mentioned regions. 

People can be easily tricked by these messages as they bypass the reputation check. The hijacked Oxford University server allows hackers to camouflage their underrated servers with the highly-trusted server domain. Thus, the Office 365 phishing emails contain the “Message from trusted server” notification at the top of the message and is signed by Microsoft Corporation^[4].

Less experienced users can easily fall for the Office 365 phishing scam since the message does seem legitimate. However, clicking on the Listen/Download button redirects to fake Office 365 website, which contains a malicious redirect code. 

The phishing site is not detected by security tools since the email and the redirect domain are separated. The phishing email redirects to the fake website, which is not likely to be detected by AV engines to redirect stages and usage of legitimate domains:

Behind the scenes, this redirection consists of two stages: the first stage abused an existing redirection scheme on the legitimate domain (e.g. samsung[.]ca), and the second stage redirected the user to a compromised WordPress site.

The strategy used for redirect stage two is based on compromised WordPress websites. This site is directly linked to a Samsung domain hosted on Adobe’s server (the latter has been launched in 2018 for Cyber Monday deals and is down for over the year). The malicious code injected is scanning the landing visitors’ to see if they have been redirected through the Office 365 scam or other sources. The “other” sources are blocked and the phishing site may not load at all. 

The attackers took the existing link from an old, but legitimate Samsung Cyber Monday themed email campaign dating back to 2018. By changing the [URL] parameter, they repurposed it to redirect the victim to a domain they controlled instead of http://samsung.com/ca/.

Office 365 phishing scam aims at the leak of credential

The campaign has been well-developed and, apparently, the criminals behind it must have invested much time on the project. Besides, to launch such type of campaign, which requires a deep understanding of how the layers of network security work within corporates.  

Besides, scammers were actively managing and improving the campaign to change redirections to URLs to evade detection and ensure prevalence. However, one may ask what’s the point? It’s not clear if there are any victims of the current Office 365 spam campaign. Besides, are the sole credentials of this platform is so valuable and worth investing? Most probably scammers know best, but it’s clear that having the logins of individual/work/school accounts are useful and can provide them with benefit. 

Reacting to the active campaign, Microsoft responded immediately and submitted the official website^[5] where the symptoms of the compromised account are listed, as well as tips on how to prevent the attack. Those who have received the fake Office 365 Voice-Mail recently should include the sender to the blacklist and send the message to spam. Besides, an immediate password change is recommended to prevent scammers from taking advantage of your account.