Other uses have included the sending of malware-laced emails from the victim’s email account. Kalember said the crooks behind these malicious apps typically use any compromised email accounts to conduct “business email compromise” or BEC fraud, which involves spoofing an email from someone in authority at an organization and requesting the payment of a fictitious invoice. Rather, they’re hoping that after logging in users will click yes to a approve the installation of a malicious but innocuously-named app into their Office365 account. The attackers responsible for deploying these malicious Office apps aren’t after passwords, and in this scenario they can’t even see them. “Then, they’re creating, hosting and spreading cloud malware from within.” “Now, they’re compromising accounts in credible tenants first,” Proofpoint explains. That approval process is cumbersome for attackers, so they’ve devised a simple work around. Kalember said Microsoft last year sought to limit the spread of these malicious Office apps by creating an app publisher verification system, which requires the publisher to be a valid Microsoft Partner Network member. “Of those who got attacked, about 22 percent - or one in five - were successfully compromised,” Kalember said. Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy, said 55 percent of the company’s customers have faced these malicious app attacks at one point or another. This week, messaging security vendor Proofpoint published some new data on the rise of these malicious Office 365 apps, noting that a high percentage of Office users will fall for this scheme. Also, the apps will persist in a user’s Office 365 account indefinitely until removed, and will survive even after an account password reset.
These malicious apps allow attackers to bypass multi-factor authentication, because they are approved by the user after that user has already logged in.
After logging in, the user might see a prompt that looks something like this: These attacks begin with an emailed link that when clicked loads not a phishing site but the user’s actual Office 365 login page - whether that be at or their employer’s domain. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others. Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page.
0 kommentar(er)
