Microsoft Fails to Block O365 Email Spoofing Attacks

Microsoft Fails to Block O365 Email Spoofing Attacks

( 3 min read )

Microsoft is under the gun again for cyber fraud. 200 million+ users are at a risk of O365 email spoofing attacks. Security researchers have confirmed activity around the same. They have also identified some domain areas which will likely be the hot targets for these spoofing attacks. Office 365 users working in financial services, healthcare industries, insurance, manufacturing, utilities, and telecom should take extra care about their email security.

Why are these O365 email spoofing attacks dangerous?

Reportedly, these spoofed emails are not looking to claim victims by the bunch via mass phishing. Rather, these attacks are highly specific, spear phishing attempts which are carefully tailored to the victims. Even cyber-aware and tech-savvy individuals are likely to fall for these attacks, because the hackers have made detection nearly impossible.

Understanding Exact Match Domain Attacks

The O365 email spoofing attack relies on exact match domain spoofing. An EMD attack happens when an illegitimate email from a fraudulent domain is disguised under a domain which is an exact match to the spoofed brand’s valid domain. Unlike cousin domain spoofing, which changes a few characters in the domain as trickery, exact match domain attacks use the exact domain and not just a lookalike.

In this particular spoof, the hackers carefully created a realistic email, to be sent from the sender “Microsoft Outlook”. They are looking to exploit office 365’s latest feature that can reclaim emails that have been marked for spam. The idea was to mimic an O365 email to such an extent that users would find it in their spam, think it’s a valid email and reclaim it into their inbox.

How hackers elicit emotional responses to their fake emails

Microsoft products and specifically O365 tools, are used a lot in the corporate world. Any competitive industry today is a growing beast which requires constant attention and spur-of-the-moment decisions. Any employee who gets a notification saying “You have missed emails in spam” is likely jump into action and go check out these supposed missed emails.

Reading Resources: Understanding Social Engineering

The fraudsters behind these O365 email spoofing attacks used clever fear-inducing language to click on a fake link without second thought. The email body contained a call to an urgent action, where the users were asked to review quarantined messages isolated by Office 365’s Exchange Online Protection (EOP).

O365 Email Spoofing - Fake Email

Upon clicking review, the user needs to fill out a form with valid Office365 credentials to get to these quarantined messages. Hackers then harvest these credentials for other malicious purposes.

How could these spoofed emails pass Microsoft’s security barriers?

Exact match domain attacks are not that difficult to detect. If you have correctly configured DMARC and SPF/DKIM for your domain, all emails will be authenticated properly. Through what is known as identity alignment, DMARC can easily find out if the sender’s address is valid or spoofed.

Following this train of thought, security researchers performed a DMARC check on the domain that appeared in these spoofed O365 emails. They found out that these emails failed SPF tests. Further investigation revealed that Microsoft servers are not currently implementing DMARC, which allows such EMD spoofing messages to pass through gateway controls, such as Office 365 EOP and advanced threat protection.

Spoof Protection for your own domains

If only DMARC had been implemented, these O365 email spoofing attacks could’ve been prevented. Also, implement other 3rd party mailbox-level security services that will act on top of existing O365 security features. With Logix, you can choose for our Cisco Email ATP solution in which we are offering DMARC as a bundle. Or if you need assistance with DMARC implementation only, we can help out in that case too. Drop us a query with your specific requirements and let us take it forward from there.

Leave a Reply

Your email address will not be published. Required fields are marked *