This new phishing toolkit is rising in popularity for its effective realism in impersonating not just Microsoft 365, but the victim organization as well.
Security researchers at Cisco Talos have identified a new Microsoft 365 toolkit that actually creates a realistic login experience for the victim user, making it more dangerous to organizations.
The convincing impersonated login pages include:
- Microsoft 365 branding and look-alike login page content
- The victim’s email address pre-filled
- The victim organization’s logo and background image (extracted from their real Microsoft 365 login page)
According to Cisco Talos, the target victim organizations were almost exclusively in the U.S., U.K., Australia, South Africa, and Canada, with the most commonly targeted sectors being manufacturing, healthcare and technology.
Source: Cisco Talos
The attack actually does more than simply present the victim with a login page or ask them to enable macros. This sophisticated toolkit grabs a blurred image of an Excel spreadsheet with a superimposed box hosting a Microsoft 365 logo and a spinning wheel (as if to convey the document is trying to load). The victim is then presented with a Microsoft 365 login page already sitting at the “enter your password” stage:
Source: Cisco Talos
Upon password entry, the toolkit attempts a login, and should multi-factor authentication (MFA) be enabled, performs a passthrough MFA attack, where the toolkit says **it is** sending the victim a code to their phone (when, in fact, Microsoft 365 is doing it). Once the code is entered into the toolkit, the code is passed through to perform the legitimate logon, giving attackers access to the Microsoft 365 account.
If there was ever a need for security awareness training to teach users to be mindful when interacting with unexpected inbound email that involves even the most believable user experience, this attack makes it clear that the time is now.
Here's how it works:
