A new attack method to steal Office 365 business email credentials has been uncovered, though it is still undetected by Microsoft’s Office 365 default security and bypasses desktop email filters.
Avanan cloud security researcher Gil Friedrich explained that what makes this attack different is that instead of fooling the user, it was designed to fool the anti-phishing filters. It leverages what appears to be a vulnerability in how Office 365 anti-phishing and URL-reputation security layers translate Punycode, a method for encoding domain names with Unicode characters.
Punycode is a method added to the Domain Name System (DNS) in order to support non-ASCII characters within a web URL. For example, the Swiss bookstore bücher.ch would have an ASCII URL of xn—bcher-kva.ch which renders the non-ASCII umlaut ü. So, attackers can use non-ASCII characters to fool end-users into clicking URLs that look legitimate, but substitute similarly-shaped letters from different alphabets to spoof the site.
A recent example was captured by Avanan in Germany. A company's users were sent an email, pretending to be a tracking update from FedEx, with a link. Office 365 anti-phishing tools interpreted the ASCII version as a link that took them to a benign web server in Berlin. When users clicked on the link, however, their desktop browser interpreted the link as its Punycode equivalent, which led to a malicious server in Belfast instead.
The user sees a fake Office 365 login page, where they are asked to put in their credentials. Once the Office 365 usernames and passwords have been compromised, the hackers can run amok, installing malware, sending emails to other users in the victim's address book, accessing the user's OneDrive account to download files, or steal company secrets or other customer information, such as customer SSNs, credit card numbers, email addresses and so on.
The attack could be used to target any email service. But “with the growth in Office 365 for corporate email, hackers are shifting their focus,” said Friedrich. “The characteristics of this particular attack discloses the hacker’s intention to deceive Office 365 users into providing their login credentials. Almost all instances of this email have been found within corporations that use Office 365 for their corporate email and, the landing page for each of the malicious URLS is a fake Microsoft login which specifically asks for a ‘business email’ account.”