Hackers co-opt Microsoft’s anti-phishing feature for phishing attacks

Sometimes, security features don’t go as planned. Email security company Vade has discovered that a Microsoft 365 setting intended to protect enterprise users has been co-opted by malicious actors, who are instead using it to launch sophisticated and automated phishing attacks.

Hackers specifically are exploiting the custom login page feature, which many businesses have in place to thwart phishing attempts. Tomorrow, Vade will publish a research paper detailing the findings, including a step-by-step of how the intrusions are occurring.

Thomas Briend, a senior sales engineer at Vade who uncovered the tactic while reviewing proof of concepts with prospective end clients, told VentureBeat this campaign is automated to target certain individuals while ignoring others, “suggesting that the person or individuals responsible did their homework.” He added that the same attack can “wear many disguises” and use different links, content, and calls to action. Vade doesn’t currently have specific metrics on how widespread the tactic is, but the company confirmed the attack has been successful in impacting businesses including a European airline and regional newspaper.

“Automation is already in the wild and becoming more common in phishing, because creating individual attacks can be very time-consuming for cybercriminals and often result in a low ROI,” he said. “With automated attacks like this one, a cybercriminal essentially presses play, sits back, and reaps the benefits. Low-tech hackers will keep sending phishing emails that even poor filters can detect, but the sophisticated ones are professionals, with high levels of organization.”

Behind the tactic

The idea behind Microsoft 365’s custom login pages is that if employees ever land on a generic login page that doesn’t have the company’s branding, they can easily recognize that something is wrong. But hackers are using this trust to their advantage and have discovered how to convincingly replicate enterprise custom login pages, direct users to them, and gain access by hiding in plain sight.

They’re able to do this because the logos and backgrounds that differentiate customized pages are actually public. Briend explained they’re available through API calls, which are technical requests anybody can make as long as they provide an email address. “Through this approach, one can pull the logo and background picture of any organization running on Microsoft 365,” he said.

Vade called this a “big misstep” by Microsoft. Briend said it’s likely Microsoft built these API endpoints for legitimate reasons, but without realizing they could be abused to build customized phishing pages.

“As far as I know, this is a first in terms of API abuse,” he said. “Maybe [it] will lead to more thorough review in the design and availability of future API endpoints, not necessarily just for Microsoft, but also for other vendors and service providers.”

Microsoft did not share a comment by press time.

Securing the enterprise

According to Vade’s report, Microsoft is consistently one of the most impersonated brands in phishing attacks and is the most impersonated overall since 2018. In the first six months of 2021 alone, ​​Vade found 12,777 Microsoft phishing URLs.

To protect themselves, Briend said, enterprises should consider the defensive solutions they’re using and determine if cybercriminals can identify them. If an enterprise is protecting Microsoft 365 with an email gateway or cloud-based email security solution, for example, he says a simple MX record search can reveal the domain of the solution to the hacker, who can then use that information to reverse engineer and bypass it.

Beyond that, he said step one is to evaluate the email security for Microsoft 365 and determine if it has the ability to both identify and remediate this type of attack. Enterprises should ensure that security solutions thoroughly inspect not just the elements of emails themselves, but also the page any URLs link to. This is important for avoiding an attack technique called “time bombing,” wherein malicious actors deliver emails uninfected and then create redirects to the phishing pages after the fact.

“Any defensive solution must be able to follow that link all the way through to the end — to the phishing page — and to inspect the page from top to bottom: the text, the images, the code,” Briend said. “Additionally, because no security solution catches 100% of attacks, when it comes to email, enterprises need the ability to continue to scan after delivery with both automatic and assisted remediation.”

Briend added that enterprises should keep employees informed of these threats — especially these types of social engineering techniques. A semi-annual or otherwise infrequent training isn’t enough, he said, because there are new attacks and techniques every day. “This should be an ongoing effort,” he said.