Microsoft 365 Phishing Attacks Masterfully Use Brand Name Sites to Establish Legitimacy

New voicemail phishing scam uses legitimate branded domains from companies like Samsung and Adobe to facilitate redirects to compromised websites intent on stealing credentials.

It’s an age-old campaign at this point; an email offers up some piece of content that requires the user to log onto their Microsoft (formerly Office) 365 account to view. But, most scams just have an embedded link point to a malicious website. This is easy to spot by both security solutions and users with a watchful eye.

A new variant of this type of campaign was spotted by security researchers at CheckPoint, where they uncovered details on how the campaign is carried out that hint at brilliance.

The most impressive step in the all-too-often used path of “send an email, link to a compromised site, put up a look-alike Microsoft 365 logon page” is the use of redirects. According to CheckPoint, rather than pointing links to a suspect domain, the attackers used redirect functionality built into servers running Adobe Campaign.

Take the example redirect URL below (modified to not work as an actual URL):

http://t.email1.samsung[.]ca/r/?id=ff1b346f,303d531,303d53e&p1=8107023398&p2=8107023398&p3=DM15290&p4=https://compromised.site#user@company.com

Note how the domain is a legitimate Samsung website. The attackers used the p4 parameter in the Adobe Campaign URL to point the victim to a compromised website to complete the campaign.

These kinds of tactics are used to bypass security checks, leaving organizations with only the user’s watchful eye to determine that “something’s not right here”. It’s only through proper Security Awareness Training that users can be taught to quickly identify suspicious links, content, behavior, email messages, and more – all factors that add up to an email potentially being malicious.