We’ve seen a rash of attacks pop up with the outbreak of COVID-19. These attacks include everything from malicious apps, fake websites, brute force attacks, and new phishing schemes. Each one revolves around coronavirus in one way or another.
With everyone working from home, remote users find themselves targeted by hackers more than ever. This week, Abnormal Security revealed a new tactic employed by criminals. Once again, it targets remote users with a new phishing attack twist.
Impersonating IT Support
The attack begins with a phishing email. It looks like it came from IT support for your company. The email contains a brief notice regarding a new VPN configuration along with a link for home access. The link leads to a Microsoft Office 365 login screen. However, logging in provides the attacker exactly what they were looking for – your Office 365 credentials. Along with it, they potentially gain access to any other accounts using those credentials for single sign-on.
Attackers faked every aspect of this email and landing page. They started by spoofing your company’s domain so the address appears to be an internal email. The login page looks identical to Microsoft’s. The page appears even more convincing because it’s hosted on a Microsoft .NET platform. It even includes valid Microsoft certificates.
Several variations of this attack have been spotted so far. They arrive from different sender addresses and utilize different IP addresses. So far, the same link was used in each attack. This suggests that a single entity is at work.
Given the current situation, VPN access remains a necessity. Employees unwittingly fall for it out of fear of losing remote access. The link to the landing page contains a different URL than what’s displayed within the email text. The attacker clearly designed the email to fool unsuspecting remote users.
What To Watch For
You can help protect your organization with these simple steps.
Verify Senders and Addresses
Make sure the message is coming from a legitimate source. Don’t just look at the name. Look at the underlying email address. If it’s not an address you’re familiar with, be wary of any links within the email.
Verify Email Links
Hopefully, you remember to do this before clicking any links. Simply hovering over a link should display the address it contains. Verify that the address matches the text in the email. Additionally, make sure the URL doesn’t look suspicious.
Verify Website URLs
Attackers can easily redirect links within emails. Clicking on the link can reroute you to a completely different site. This allows attackers to bypass email security. If you end up at a login screen, check the URL to see if it matches the service requesting credentials. For example, most Office 365 login pages end in microsoft.com, microsoftonline.com, live.com, or office.com. If anything seems suspicious, don’t enter your credentials. Instead, contact IT support for verification.