SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Phishing attack exploited Samsung, Adobe servers for Office 365 credentials
Fri, 19th Jun 2020
FYI, this story is more than a year old

Yet another phishing campaign has been unearthed, with researchers from Check Point exposing efforts by cyber attackers to harvest login credentials stored in Microsoft Office 365 accounts.

The campaign used seemingly credible web domain names to lure its victims and bypass security filters, including from Oxford University, Adobe and Samsung.

The campaign began by hijacking an Oxford email server, which attackers then used to send malicious emails to victims. These emails contained links that redirected to an Adobe server used by Samsung in the past, enabling hackers to leverage the façade of a legitimate Samsung domain to successfully trick victims.

The emails attempted to convince victims that a voice message was waiting in a voice portal, and to hear the message victims needed to click a button labelled ‘listen/download'.

This link led victims to a login page where they were entreated to share their Office 365 login credentials, ostensibly giving attackers access to their email accounts.

Most of the emails came from multiple generated addresses belonging to legitimate subdomains from different departments at the University of Oxford, according to researchers from Check Point.

Attackers did this by compromising one of Oxford's SMTP servers – which is charged with sending, receiving and relaying outgoing mail between email senders and receivers.

With control over this server, attackers were able to pass the reputation check required by security measures for the sender domain.

To successfully bypass email security solutions and add perceived legitimacy to their campaign, attackers used Google and Adobe open redirects.

In this case, the links in the email redirected to an Adobe server previously used by Samsung during a 2018 Cyber Monday marketing campaign.

This meant the link embedded in the original phishing email is part of the trusted Samsung domain stem – but instead of leading to a legitimate Samsung domain, it redirected victims to a website hosted by the hackers.

By using the specific Adobe Campaign link format and the legitimate domain, the attackers increased the chances for the email to bypass email security solutions based on reputation, blacklists and URL patterns.

“What first appeared to be a classic Office 365 phishing campaign, turned out to be a masterpiece strategy: using well-known and reputable brands to evade security products on the way to the victims,” says Check Point manager of threat intelligence Lotem Finkelsteen.

“Nowadays, this is a top technique to establish a foothold within a corporate network.

“Access to corporate mail can allow hackers unlimited access to a company's operations, such as transactions, finance reports, sending emails within the company from a reliable source, passwords and even addresses of a company's cloud assets," says Finkelsteen.

“To pull the attack off, the hacker had to gain access to Samsung and Oxford University servers, meaning he had time to understand their inner workings, allowing him to go unnoticed.

Check Point has informed Oxford University, Adobe and Samsung of its findings.