Researchers at Abnormal Security said Monday they blocked an attack where a malicious email impersonating one of their customer’s vendors bypassed the customer’s Proofpoint gateway and set up a trap to steal Office 365 credentials.
The researchers said in a blog that if the email had gone through and the recipient fell for the attack, their credentials would be compromised, opening up their account and any data it contains to a possible breach.
This technique – called a known partner compromise – started with a malicious actor impersonating the vendor and sending what appeared to be an encrypted message, which the user at the Abnormal customer could access by clicking on the specified text in the email. Hidden behind the text trap is an embedded hyperlink that redirects to a suspicious landing page, urging the recipient to download the available file. The download button redirects the victim again, and although the final landing page for the attack has since been taken down by the attacker, Abnormal did see attacks like this in the past that brings the victim to a fake Office 365 sign-in page, asking for credentials.
These attacks are tricky, because the email came from a legitimate vendor account. The originating domain of the email is an authenticated domain and therefore not spoofed, which indicates that the vendor had indeed been breached, rather than a lower-level impersonation attempt. The email sent by the vendor is an account that the receiving company (Abnormal customer) has interacted with several times, so the recipient would find it a normal business practice to quickly access the encrypted message and address its contents.
Chris Morales, head of security analytics at Vectra, said the known partner compromise technique equates to internal spear phishing, when a phishing email that originates from a trusted and legitimate connection doesn’t get blocked by the email gateway.
“From this account, the attacker targets other internal users to laterally spread,” Morales explained. “The use of a trusted account equates to a higher percentage chance of success of other users clicking on links or installing malicious apps. This is just one of many methods of lateral movement attackers can use within an Office 365 environment. It is important that organization monitor for not just this behavior, but the entire attack lifecycle to stop attacks from succeeding.”