A new phishing scam has surfaced that is showing how sophisticated bad actors are becoming in tricking unsuspecting victims into giving up their personal information.
The latest cyberattack is centered around the job listing website, Indeed. Hackers send out an email spoofing an employment opportunity from the website. Once you click the link, it will send you to a Microsoft 365 login page to enter your credentials. From here you’re not suspecting anything unscrupulous, but the next time you attempt to log into your Microsoft 365 account, you will find that not only are you getting an error message that the information is incorrect, but that your account is no longer available.
Researchers at Menlo Security have observed this phishing scam, which is being targeted at U.S. executives in industries including electronic manufacturing, banking and finance, real estate, insurance, and property management, according to Bleeping Computer.
The cyberattack has been so seamless it has been able to evade multifactor authentication on Microsoft 365 accounts through a method called cookie stealing. This tactic is used to swipe the cookies from well-known websites and mimic their designs. By hacking recent web sessions of programs that are not commonly refreshed, bad actors that replicate pages can look identical to pages of common websites. Cookie stealing was also developed as a bypass for multi-factor authentication. If you have the security feature set up on your account, you would likely input it yourself, having visually deemed the website to be trustworthy.
Researchers began noticing cookie stealing attacks in 2022, targeting several major brands, including Google Chrome, Amazon Web Services (AWS), Azure, Slack, and Electronic Arts.
The hackers in this case used a platform called EvilProxy to execute their cookie stealing and fashion a page that looks like an authentic Microsoft login page. Multifactor authentication is commonplace for Microsoft 365 so users will have some form set up.
The addition of the Indeed email makes this phishing scam especially complex because opening the link triggers an open redirect, which is a weakness that allows the bad actor to direct you to their nefarious website after clicking on a seemingly legitimate link.
This isn’t the only phishing scam plaguing Microsoft services in recent times. Last month, for example, a team of hackers was able to infiltrate Microsoft Teams to execute a phishing scam called “DarkGate Loader.” The scheme centers on a bogus Teams message about “changes to the vacation schedule,” but contains intricate hidden malware when downloaded. Cybersecurity researchers uncovered that hackers were able to access Teams through compromised Office 365 accounts and even found the unsecured email addresses they were able to take over.
Ongoing spam and cybercrime have prompted email providers, including Gmail and Yahoo to set into place requirements for bulk senders as security measures. These requirements include email authentication, the ability to easily unsubscribe, and email assurance, and will be set in place starting February 1, 2024. Google said many of the requirements largely play as basic email hygiene but are being set forth with the aim of making it an industry standard.