An Office 365 phishing campaign abused Google Ads to bypass secure email gateways (SEGs), redirecting employees of targeted organizations to phishing landing pages and stealing their Microsoft credentials.
The attackers behind these attacks took advantage of the fact that the domains used by Google’s Ads platform are overlooked by SEGs, which allows them to deliver their phishing messages to their targets’ inboxes bypassing email filters.
SEGs are designed to block spam and phishing attempts from reaching their users’ mailboxes using filtering stacks that will scan all incoming emails for malicious content.
Potential victims are informed of recent policy changes and are asked to accept the changes to be able to continue using services.
The accept button embedded within the phishing emails, however, will redirect the victims to phishing landing pages with the help of a Google Ads redirect.
This hints at the fact that the attackers paid for a Google ad and then used the ad’s URL to redirect targets to pages used to steal Office 365 credentials, thus making sure that the victims always receive their phishing messages.
The phishing pages used in this campaign are designed to mimic legitimate Microsoft pages, featuring a Microsoft logo and the targets’ company logo.
Once they entered their credentials and hit the “Next” button, their account info was immediately sent to the phishers and they were sent to a new page displaying a “We’ve updated our terms.” message.
As a final measure designed to hide the attack from the victims, the employees who fell victim to this phishing attack were sent to the Microsoft Services Agreement page.
Once an attacker has compromised one account within your organisation, they can use that account to launch more targeted attacks against other employees. New-school security awareness training can create a culture of security within your organisation, enabling your employees to identify phishing emails and instilling in them the importance of multi-factor authentication.
With thanks to the Cyber Defence Alliance and Bleeping Computer. The full story is here: https://www.bleepingcomputer.com/news/security/office-365-phishing-abuses-google-ads-to-bypass-email-filters/
Free Phishing Security Test
Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.
Here’s how it works:
- Immediately start your test for up to 100 users (no need to talk to anyone)
- Select from 20+ languages and customise the phishing test template based on your environment
- Choose the landing page your users see after they click
- Show users which red flags they missed, or a 404 page
- Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
- See how your organisation compares to others in your industry
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW