Taking a Phising attack to the next level

[um_loggedin] This text can only be seen by logged in users

Recently an organization I work for had some hacking incidents. Accounts were breached and from these accounts Phising mails were sent to a selection of the addessbook of this user. It was remediated by disabeling the account, revoke all current sessions and change the password.

We did a content search on this Phishing mail and for the internal mailboxes and with a New-ComplianceSearchAction we could then delete the phising e-mails when they were not opened yet by the user. If you want a good explanation on how this works This is a 3 minute instruction video for this process.

How To Find And Delete An Email From All Mailboxes In Office 365

We saw an increase in the amount of phising mails that were sent each time this happened. One of the things we also saw was the use of a directlink to a real OneDrive of another unknown tenant witch contained the payload. When clicked on you would see OneNote page with another link to a Word document. If you would click on this you would be prompted to “login”.

Graphical user interface, application, Word
Description automatically generated

This week we had a special incident. The CEO had been targeted and received an e-mail with a “Voicemail message”. It contained an HTML page with Trojan viruses. After a Message Trace we could tell he was the only one who had received this e-mail.

By uploading the HTML file I could identify the Virusses through Virustotal. This screenshot is made a week later. When I tested the file when it just happened there were only two Virus engines which detected this. But they did not get detected by Advanced Threat Protection scanning from our own Office 365 tenant with E5 security enabled!

Now we see that also Microsoft detected it.

Description automatically generated

When I took a look at the code of this e-mail I saw that the code was practically Obfuscated Wikipedia to try to hide the malicious intent of the code. This code looks then like this:

Some interesting details are that the e-mail address of the sender of this malicious e-mail is: OurOrganizationName.report@msc365officeteam.live

If I took a look at the details of the domain: msc365officeteam.live we see it was created a few days before the message was sent and all the owner details did not tell me much more then: “REDACTED FOR PRIVACY”. The IP address of the sender was an Amazon Cloud IP address so not very helpful either.

We cleaned this up of course and because and nobody clicked on the link in the e-mail nothing scary happened. But they took some effort to get to the CEO and also the sender e-mail and domain name took some investment. This all to send one e-mail.


Leave a Comment