sb-au logo
Story image

Phishing attack exploited Samsung, Adobe servers for Office 365 credentials

Yet another phishing campaign has been unearthed, with researchers from Check Point exposing efforts by cyber attackers to harvest login credentials stored in Microsoft Office 365 accounts. 

The campaign used seemingly credible web domain names to lure its victims and bypass security filters, including from Oxford University, Adobe and Samsung.

The campaign began by hijacking an Oxford email server, which attackers then used to send malicious emails to victims. These emails contained links that redirected to an Adobe server used by Samsung in the past, enabling hackers to leverage the façade of a legitimate Samsung domain to successfully trick victims. 

The emails attempted to convince victims that a voice message was waiting in a voice portal, and to hear the message victims needed to click a button labelled ‘listen/download’.

This link led victims to a login page where they were entreated to share their Office 365 login credentials, ostensibly giving attackers access to their email accounts.

Most of the emails came from multiple generated addresses belonging to legitimate subdomains from different departments at the University of Oxford, according to researchers from Check Point.

Attackers did this by compromising one of Oxford’s SMTP servers – which is charged with sending, receiving and relaying outgoing mail between email senders and receivers.

With control over this server, attackers were able to pass the reputation check required by security measures for the sender domain.

To successfully bypass email security solutions and add perceived legitimacy to their campaign, attackers used Google and Adobe open redirects. 

In this case, the links in the email redirected to an Adobe server previously used by Samsung during a 2018 Cyber Monday marketing campaign. 

This meant the link embedded in the original phishing email is part of the trusted Samsung domain stem – but instead of leading to a legitimate Samsung domain, it redirected victims to a website hosted by the hackers. 

By using the specific Adobe Campaign link format and the legitimate domain, the attackers increased the chances for the email to bypass email security solutions based on reputation, blacklists and URL patterns.

“What first appeared to be a classic Office 365 phishing campaign, turned out to be a masterpiece strategy: using well-known and reputable brands to evade security products on the way to the victims,” says Check Point manager of threat intelligence Lotem Finkelsteen. 

“Nowadays, this is a top technique to establish a foothold within a corporate network.

“Access to corporate mail can allow hackers unlimited access to a company’s operations, such as transactions, finance reports, sending emails within the company from a reliable source, passwords and even addresses of a company’s cloud assets," says Finkelsteen.

“To pull the attack off, the hacker had to gain access to Samsung and Oxford University servers, meaning he had time to understand their inner workings, allowing him to go unnoticed.”

Check Point has informed Oxford University, Adobe and Samsung of its findings.

Story image
Palo Alto Networks turns attention to supporting remote workforces
"We’re working with more organisations to pivot their security architecture and move towards a cloud-delivered security model that can safely connect any user, to any application, from anywhere.”More
Story image
Creating a strong culture of security within organisations
CISOs worldwide are inherently aware of how significant investment in cybersecurity strategies and technologies can bolster an organisation’s protection against cyberattacks. However, many overlook the importance of culture when it comes to cybersecurity.More
Story image
Dicker Data scores One Identity distribution agreement for Australia
Dicker Data has entered into a distribution agreement with One Identity, a Quest Software company specialising in identity-centric security. The agreement was effective as of 1 March 2021.More
Story image
Why consumer privacy is crucial in a remote work era
Organisations should monitor all file, app, user and web activity with comprehensive activity logs to uncover the whereabouts of consumers’ data.More
Story image
Akamai named leader for DDoS mitigation solutions in The Forrester Wave
“As opposed to other 'all in one' solutions that can be vulnerable to platform outages, our distinct, purpose-built DDoS solutions are architected to ensure multiple levels of resilience."More
Story image
Sandbox evasion malware used for cyber espionage, new study shows
The company's findings show that 25% of that malware was active in 2019-2020, and that at least 23 APT groups around the world have used them in attacks.More