A new phishing attack targeting Office 365 business email users was found using Punycode to go undetected by both Microsoft’s default security and desktop email filters, Avanan security researchers warn.
The attack is meant to steal Office 365 credentials and abuses a vulnerability in how Office 365 anti-phishing and URL reputation security layers deal with Punycode. The attack starts with fake FedEX email that include benign looking URLs meant to take users to malicious website. See image below.
By using Punycode and leveraging said flaw in the phish-detection engine, the URL actually resolves to two different domains, one safe, which is detected by Office 365, and the other malicious, which is followed by the browser.
The underlining issue is that Office 365’s default security treats the domain as plain ASCII when verifying whether it is legitimate or not. Because all modern browsers support Unicode character, the address is translated to its Unicode format when launched in the browser. This address is malicious and presents users with a fake Office 365 login page in an attempt to steal user credentials.
How to protect against phishing email or spear phishing email intended for the big fish in our organization?
- Do not click in any links asking you to reset your password. Make it as a habit, never click on a link from your email 🙂
- Use Two-Factor Authentication. I highly recommend that you use Two-Factor authentication when available, for your bank accounts, social networks e.g. LinkedIn, Facebook, etc. (The Two-Factor authentication is not available to Kiosk Email user.)
The Phishing Email is the same old method used when a malicious person, asking you to change your bank account password, compromised bank accounts, deposited money on your bank, UPS delivery, social media accounts, free Redskins ticket, free Washington Wizards tickets, and many other variations of fake email. According to PhishMe, 91% of CyberAttacks start with a Phishing Email. The hacked incidents of high profile staff at DNC is through phishing emails. Using this method is cheap, hard to detect, and easy to deploy.
Security awareness of everyone is important to minimize our exposure.
What is the worst case scenario if you click on a “bait” links?
- The malicious user will have access to your account. For example, your email, social media, banks account, etc.
- Or The malicious user will have full control of your computer through “reverse shell” access. Where they can see all files, install a back-door program to get back in, use your webcam, use your computer as bot for DDOS attack, anything they want.
What to do if you accidentally click a “bait” links?
- When you click on a “bait” link or a bad attachment, you think nothing happen and move on with your routine tasks. But the malicious code is already executed in the background, you will not notice it that’s how it is design. Don’t ignore this simple mistake, reboot your workstation right away, this will end the session initiated by clicking the bad link.
- Scan your workstation using your anti-virus/anti-malware software.
- Report to your immediate supervisor or post in our comment below. Our community is willing to help.
The Center for Development of Security Excellence (CDSE.edu) website provides a fun way to test your awareness against Phishing Scams. Go to http://www.cdse.edu/shorts/cybersecurity.html# website, check the Phishing Scams video “Phishing Scams Avoid the Bait” and have fun.
Reference links:
- http://www.securityweek.com/office-365-business-users-targeted-punycode-based-phishing
- http://www.darkreading.com/endpoint/91–of-cyberattacks-start-with-a-phishing-email/d/d-id/1327704
- http://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html
- https://www.helpnetsecurity.com/2016/12/14/corporate-office-365-phishing/
- CDSE.edu
- EM @KING.NET