Thou shalt have a phishy…

We have recently seen multiple instances of an attack involving takeover of Office 365 email accounts. While no victim we have seen has had adequate logging in place, making detailed analysis difficult or impossible in some cases, a clear pattern has emerged – Office 365 users need to be aware and to take action.

This attack is cyclical and operates in five distinct phases:

Office 365 Phishing Cycle

  1. Phishing – an attacker is harvesting valid credentials for user accounts on Office 365. These do not have to be administrator accounts for the attack to succeed, but if they are then the consequences could be much worse than those set out below.
  2. Account takeover – the attacker gains valid credentials and logs in; the intrusion is invariably unnoticed.
  3. Exfiltration – the attacker downloads the entire contents of the impacted user’s mailbox.
  4. Monetisation – the attacker seeks out information from the downloaded mailbox which may be directly useful (credit card numbers etc.), or indirectly useful (information sufficient to enable plausible social engineering exploits against the owner of the compromised mailbox, third parties or both).
  5. Propagation – as a parting gift to the owner of the compromised mailbox, it is used to send phishing emails to his or her contacts, and the cycle begins again.

Most victims we have seen only become aware of the compromise at stage 5, and some have concluded, incorrectly, that the only reason for the attack was to secure a platform to be used for further phishing. The significance of this phishing is often underestimated because, well, nobody falls for that any more, do they?1

1. Phishing

Sample Phish

The attack begins when a user receives an email, perhaps somewhat like the redacted sample shown here (click or tap to enlarge). This email is from a person known to the victim and appears real because, in a sense, it is. It has come from the real Office 365 mailbox of a real business contact and it carries valid sender authentication in the form of SPF and DKIM. It says it is from Fred.Bloggs @ acme.example because it really did originate at Fred Bloggs’ acme.example Office 365 account.

The message is not flagged as suspicious because it is not spoofed and it carries valid sender authentication. Because the sender is known to the recipient, the recipient may be more inclined to trust it. Finally, these messages are usually unexpected and often crafted to suggest a subtle sense of urgency, creating a break from the recipient’s usual routine – he or she may feel obliged to deviate from usual business practices.

2. Account Takeover

The recipient may then click on the link (entitled “Review Document” in the above sample) – what happens next is crucial to the success of the attack.

The link will open the user’s default browser and load a page which appears to be a Microsoft login page. The attacker wants the victim to believe that the sender has shared the document using Microsoft cloud storage (Sharepoint, OneDrive) and that he or she must log into a Microsoft account to see it. If the user is sufficiently alert to the danger, he or she may look at the URL in the browser and see an unexpected domain, not associated with Microsoft. This is a clear red flag – the user should close the browser, report the incident to IT and warn the apparent sender of a possible breach of his or her email account.

However, in many cases the recipient’s guard is already lowered because the email came from a trusted source.

The fake Microsoft login pages are always hosted on compromised third party sites, quite often WordPress, and some we have seen use domain validated TLS – a green padlock may be visible in the browser’s address bar. While DV TLS offers privacy – all traffic between browser and web site is encrypted – it does not imply trust. Sadly, too many computer users still conflate the two, reasoning that, if there’s a green padlock, the site can be trusted.

So the victim enters valid credentials for a Microsoft account and the attacker takes them.

3. Exfiltration

This active phase of the attack sees the attacker logging in to the victim’s Microsoft account, often a corporate Office 365 account.

Logins are via the Outlook web API and only happen once. The attacker remains logged in for the duration of the attack. The attacker uses a variety of means to conceal his true location including the use of:

  • VPNs via compromised network routers;
  • Compromised endpoint devices used as proxy servers, and;
  • Rented servers configured to act as proxies – in this case, servers will have been rented using stolen identities and payment cards and are usually taken down immediately following the attack.

The attacker then downloads the entire contents of the victim’s mailbox. This can take some time but, as the attacker’s presence is not yet known, this presents him with no problem. Further, the less bandwidth he uses on his chosen proxy, the less likely his presence there is to be noticed too.

4. Monetisation

The attacker is looking for anything which may be of direct or indirect value in the exfiltrated data.

  • Direct value: Payment card information, for one example.
  • Indirect value: Information about an organisation, who requests payments, who authorises them, quantum of typical payments, language used in emails by both requesters and authorisers, style (use of fonts, logos etc.), information about planned financial transactions and so on.

Depending on what the attacker finds, this value will be mined in different ways.

In one case, an attacker gained access to the corporate Office 365 account of a user who regularly requests authority to make substantial payments and initiates those payments using on-line banking. This user also has regular email conversations with senior management about these payments. The attacker in this case was able to convince the victim to make a substantial payment into a bank account nominated by him using a sophisticated social engineering attack in which he took on the identity of a senior manager in the victim’s organisation (perhaps a subject for a future blog entry).

Having taken his profit from the monetisation phase (although it is very likely that the exfiltrated data will be retained and exploited further), the attacker can move on to the final phase, propagation.

5. Propagation

The success of this attack relies on its use of real Microsoft Office 365 mailboxes, and of real relationships between owners of these mailboxes and their regular contacts.

Having taken the value from his attack on the current victim, the attacker now needs new victims. He therefore creates another phishing email, very similar to the one used at phase 1, and submits it via the victim’s mailbox using the Outlook web API. This email is sent, apparently from the victim, to external contacts of that victim taken from the compromised mailbox. Typically, as many as several hundred phishing emails are sent within a relatively short time.

This is the point at which the attackers presence is finally noticed – some recipients of the phishing email recognise it for what it is and contact the apparent sender.

Victim organisations may respond by resetting the compromised user’s password and may conclude, incorrectly, that the attacker was only present for the few minutes needed to send out the phishing emails during this final phase. This flawed reasoning continues; if only present for a few minutes, the attacker can’t have had time to do much other than send out these phishing emails (which nobody believes anyway, do they?) – therefore little or no information was accessed by the attacker and his presence has now been ended, so the incident is at a close.

The reality is that the attacker has taken a significant amount of information, will seek to monetise it if he has not already done so and is well on his way to ensnaring his next victim.

So, what can be done?

Simple precautions in the areas of people, process and technology can be effective in preventing this type of attack.


Awareness is a key factor in avoiding exploitation.

  • Do users know how to recognise a phishing email?
  • Do they know that an unexpected email requiring urgent action, even if apparently from a previously trusted sender, should be questioned?
  • Are they aware of the true significance of a green padlock?
  • Do they know what to do when they see an unexpected challenge from multi-factor authentication?
  • Do they feel confident to ask if they feel unsure?


  • Are duties effectively segregated? Business processes should not permit a user to initiate payments (perhaps only payments above a certain threshold) without corroboration of requests for such payments. This could be as simple as a telephone call to a manager – “I am about to make this payment; please confirm that you requested it.”
  • Does your organisation have an effective incident response process? Know what you are going to do if compromise is suspected.


Organisations using Office 365 should take greater care in managing it.

  • Turn on multi-factor authentication. This simple precaution should stop most attempts to log in with stolen credentials in their tracks. An attacker may successfully authenticate with stolen credentials, but will never see the challenge to complete the login. The user whose credentials have been compromised will see the challenge, itself a warning of an attempt at unauthorised access.
  • Configure logging appropriately. Use mailbox auditing. Collect evidence to show the full nature and extent of any incursion.
  • Use the reports provided by Microsoft, for example the suspicious logins report – if your office is in Croydon, you may not expect to see users logging in from Budapest.

Put together, these precautions present a would-be attacker with multiple hurdles. He can choose to try and overcome them, or he can move on to another, less well-prepared victim. As long as plenty of those exist, his time will be more profitably spent in pursuit of them, not you.

Christopher Linfoot

  1. Rhetorical of course. Yes, people do regularly fall for this.