Office 365 Phishing Attacks Targeting SMEs Near You

A recent spate of phishing attacks has seen criminals stealing passwords for business Office 365 accounts. The criminals are then using compromised email accounts to target the victim’s contacts. We have seen an increasing number of SMEs caught out by this over the last two months. Find out how to recognise and respond to these attacks by reading on.

Overview of the Attacks

The attacks begin with an email that you receive from a known contact. The email looks like other emails that you may have had from that contact, therefore it looks legitimate. The email encourages you to click on a link, just like many phishing attacks do. The linked web page asks you to sign in using Office 365. If you sign in, the criminals obtain your password and can log on to your email account. They then continue the attack by emailing your contacts from your email address, potentially damaging your reputation in the process.

Example 1: OneDrive

The following screenshot is one example of these phishing emails that we have seen:

Sample Office 365 phishing email.

The victim is encouraged to click on a link to view a document that could not be attached to the email. If the victim clicked on the link, they were taken to a Microsoft sign in form like that shown below:

Fake OneDrive sign in form.

Strange links are a big giveaway for phishing attacks, however in this case the URL didn’t seem so strange: https://1drv.ms/.

Example 2: Adobe Document Cloud

The screenshot below shows another example of these phishing emails:

Sample Office 365 phishing email.

In this case the email mimics Adobe Document Cloud. Clicking the link took the victim to an Adobe Document Cloud sign in form like that shown below:

Fake Adobe Document Cloud sign in form.

Notice that the sign in button says “Sign in with Office 365”.

Recognising These Attacks

These attacks are similar to many phishing attacks. The key factor to the success of these recent attacks is that they come from a known contact, rather than from a strange email address. The following list details some common factors to watch out for:

  • Strange or unexpected emails.
    • E.g. the email refers to an unknown project, proposal, or invoice.
  • Impersonal emails.
    • E.g. the email comes from a known contact but they did not greet you by name.
  • The recipient may be the sender (or undisclosed).
    • The email may use BCC to reach multiple recipients without revealing them.
  • The email contains a link where you are asked to sign in using Office 365.

Responding to an Attack

Firstly if you receive one of these emails, or a similar email that seems strange, don’t click the link and definitely don’t sign in! We recommend you verify that the email is legitimate, ideally by contacting the sender on a known phone number. Remember that if criminals were able to send a strange email, they could have altered the phone number shown in the sender’s email signature.

Responding to a Breach

If you clicked one of these links and typed your password, or if a contact reported that they received a strange email from you, then you need to investigate and take steps to protect your business.

Firstly, you should change your password to stop the criminals accessing your account. You should also change your password anywhere else where you use the same password. We recommend using a password manager to help avoid password reuse.

Next, you need to investigate the extent of the breach and ensure the impact is remediated. For example: In many cases the criminals have attempted to maintain access to their victim’s email by configuring auto-forwarding rules that may allow them to continue receiving your emails and sending emails from your email account.

Finally, report the incident to ActionFraud. Also consider whether you need to report a data breach to the Information Commissioner’s Office and to the affected individuals.

Securing Office 365

We recommend reviewing and tightening the security of your Office 365 configuration to significantly reduce the chance of a compromise. The following are some ways you can improve your Office 365 security:

  • Enable multi-factor authentication (MFA).
    • With MFA enabled, a stolen password alone won’t result in a breach.
  • Enable auditing.
    • Audit logs help during the investigation of breaches, however they are not enabled by default.
  • Separate your administrators and users.
    • A compromised administrator account is much more serious than a compromised user account.
    • Do not use an administrator account to access emails or services such as OneDrive.

If in doubt, contact us. We can help you to secure your Office 365 environment or, in the unfortunate event of a data breach, we can help you to investigate the full impact of that breach and protect your business going forwards.

Scam Alert: “We Know Your Password”

“I am well aware prague one of your pass word” the email might begin, causing an instant sensation of fear. You may not use it now, but you once did use prague as your password. How do they know your password? What else do they know, and what do they have access to? Scam artists rely on provoking emotions such as fear to cause their victims to take action. A criminal knowing your password is almost certain to evoke that fear.

Bitcoin is a scam artist's preferred method of payment.

How do the scam artists know your password?

Stolen data sometimes finds its way on to the Internet following a data breach. The data often includes email addresses and passwords stolen anywhere from small gaming websites to companies as big as LinkedIn. It’s this data that the scammers are using to find and scare their victims.

The good news is that the scammers probably didn’t hack your computer and can’t do what they’re threatening to. The bad news, is that the scammers may actually know one of your passwords.

What should you do?

If you receive an extortion or blackmail email that states a password you do (or did) use, don’t panic! Do not make a payment or try to contact the scammers. You should change the password if you still use it, and change it everywhere you use it. We recommend using a password manager to generate complex and unique passwords for every account you have. Where possible we also recommend using two-factor authentication (2FA) to make it harder for criminals to compromise your accounts.

Consider reporting the incident to Action Fraud, unless you paid the fine in which case you should report the incident to the police.

You can find data breaches where your email address and password may have been stolen using the website “Have I Been Pwned”. Be sure to change your password on any sites your data was stolen from if you haven’t changed it since the date of the breach.

If in doubt, don’t hesitate to get in touch. In the meantime, sign up to our mailing list for cyber security news, tips, and advice.

WordPress Website Takeover Vulnerability

Update: WordPress have now released an updated version (version 4.9.7). Install the update to ensure your websites are protected.

A newly reported security vulnerability affects all current versions of the WordPress content management system (CMS). A user requires the author or editor role to exploit the vulnerability to gain complete control of your website.

WordPress logo

An attacker can exploit this vulnerability to delete files from your server. By deleting the CMS configuration file (wp-config.php), they can re-run the WordPress installation process and become the website administrator. From there they can potentially modify theme or plugin code to take over the underlying server.

Securing your WordPress Website

An official fix for the vulnerability does not currently exist (update: version 4.9.7 has since been released and fixes this vulnerability).

Several unofficial solutions are available. Cognitous recommend tightening the file system permissions on your web server. Remove write permission to the WordPress files from the web server user in order to prevent unauthorised alterations. For example, under a typical Apache installation, the www-data user should not have write permission to files under /var/www/html. Unfortunately, this will prevent the built-in auto-update feature from working.

An alternative solution involves adding code to the functions.php file of your active theme.

WordFence includes a fix, however free users won’t receive that until the end of July.

Get in touch if you require advice or support in securing your WordPress website. Sign up for our mailing list to receive security tips and information to your inbox.

Technical Details

Full technical details can be found via RIPS Technologies, who reported the vulnerability privately in November 2017.

Critical Vulnerability in Adobe ColdFusion

ColdFusion 2016

If your organisation has servers running Adobe ColdFusion and they haven’t been updated recently then now would be a good time to update them. This is particularly important if you’re using a feature called “Flex Integration”.

Adobe’s latest ColdFusion security update fixes a critical vulnerability identified by Cognitous director Nicky Bloor. The vulnerability could enable an attacker to take complete control of affected servers. A second critical vulnerability was fixed in this security update that could enable an attacker to steal files from affected servers (reported by Matthias Kaiser of Code White GmbH).

In addition to applying the latest security update, users should update Java on the affected servers. Be sure to also review Adobe’s lock down guides for guidance on further security improvements.

Technical details of the critical vulnerability discovered by Nicky Bloor can be found on his blog: Another ColdFusion RCE – CVE-2018-4939.

Cognitous can help with all aspects of securing your IT systems, get in touch to see how we can help you.