New York City-based Avanan’s cloud security researchers uncovered a new attack method, Punycode, against Microsoft’s Office 365 business email that goes undetected by default security and bypasses desktop email filters.
The attack includes a phishing scheme to steal Office 365 credentials, and leverages what appears to be a vulnerability in how Office 365’s anti-phishing and URL-reputation security layers translate Punycode, a method for encoding domain names with Unicode characters.
The latest threat underscores the security risks associated with the accelerated adoption of cloud end user computing applications used by organizations and businesses including by credit unions and their members. Research shows that with the adoption of Microsoft Office 365 in business, a significant amount of sensitive information is now, maybe unintentionally, stored in the cloud.
“What makes this attack different is that instead of fooling the user, it was designed to fool the anti-phishing filters found in Office 365 and other email phishing protection systems. Hackers have identified a gap in the Office 365 phishing filters and are starting to leverage it in order to compromise accounts,” according to an Avanan blog.
A recent example captured by Avanan in Germany: a company's users received an email, pretending to be a tracking update from FedEx, with a link to xn--sicherheit-schlsseldienst-twc.de. Office 365 anti-phishing tools interpreted the ASCII version as a link that took them to a benign web server in Berlin. When users clicked on the link, however, their desktop browser interpreted the link as its Punycode equivalent, sicherheit-schlüsseldienst.de, which led to a malicious server in Belfast, Ireland.
Avanan’s analysis of the attack seems to indicate that the hackers are particularly interested in Office 365 credentials. Almost all instances of this email materialized within corporations that use Office 365 for their corporate email and, the landing page for each of the malicious URLs is a fake Microsoft login which, specifically asks for a business email account.
“With the growth in Office 365 for corporate email, hackers are shifting their focus. The characteristics of this particular attack discloses the hacker’s intention to deceive Office 365 users into providing their login credentials,” the blog revealed.
Punycode is a method added to the domain name system in order to support non-ASCII characters within a web URL. The first Punycode phishing attacks used non-ASCII characters to fool end-users into clicking URLs that looked legitimate, but substituted similarly-shaped letters from different alphabets to spoof the site.
The user sees a fake Office 365 login page, which requests their credentials. Once the Office 365 usernames and passwords have been compromised, the hackers can:
- Install malware
- Send emails to other users in the victim's address book, asking them for anything, sending invoices, sending more phishing emails, etc.
- Access the user's OneDrive account, to download files, install more malware, infect files with malware, etc.
- Steal company secrets or other customer information such as customer SSNs, credit card numbers, email addresses, etc.
So far, this is very typical. The user sees “legitimate.com” but the underlying link goes to "malicious.com." What makes this attack nefarious is that by using Punycode and a flaw in the phish-detection engine, the URL actually goes to TWO different sites, one followed by the malware protection filter and the other followed by the end-user’s browser when he or she clicks on it.