Overview.

Microsoft is the most phished brand in the world. With so many Office 365 users globally, it’s only natural for attackers to try and phish for credentials using any of the apps in the Microsoft suite.

In this short blog we present a large-scale attack using impersonations to the Microsoft Planner and Teams collaboration apps. The attack, which was seen in over 10 different organizations, showing that the attacker chose a less targeted approach in launching this campaign.

The Mail.

In this phishing attack, the attacker tries to impersonate Microsoft Planner or Teams using the following assets:

• App logo
• Microsoft logo
• Copying the email body of the app
• Using the specific app color pallet

Essentially, the attacker takes advantage of the apps’ tendency to send multiple messages in the same structure and appearance, only replacing: (1) the displayed address in the email envelope with the one of the end-users; and (2) the return path to vps.z19.web.core.windows.net, making it look like a real message from Microsoft.

To complete the disguise, the attacker uses a payload containing a fake Microsoft phishing login page intended to steal credentials. Finally, to make it even more deceiving, the attacker chooses to use the windows.net subdomain as the envelope return-path and the user’s own organizational address as the displayed address. 

IOCs.

• Subject: You’ve been assigned a task! / You have 6 messages, 3 mentions.
• From: Microsoft Planner [user address] / There’s new activity in Teams [user address]
• Return-path: [email protected]

The Payload.

Like in any phishing campaign, the attacker created a nice-looking web page to steal the end-user’s credentials. In this campaign, the same login page is used for all apps, which means that when the user clicks on ‘Open in Microsoft Planner’ or ‘Reply in Teams’ he/she will be directed to a web page phishing Microsoft login hosted by Appspot, making it difficult to use reputation-based algorithms to detect it.

Perception Point.

Perception Point’s service prevented this attack using advanced anti-phishing algorithms. By using image-recognition technology, our solution can prevent any attack – even if highly disguised. We do not use only reputation or static engines – we take an active (“dynamic”) approach, ensuring “zero-day” phishing attacks are intercepted well before reaching the end-user’s email box.

For more information about our anti-phishing capabilities, we welcome you to check this link.