August 29, 2018 | By Panagiotis Kintis
A new phishing technique against Microsoft Office 365 users was discovered earlier this month. Attackers are taking advantage of a combination of vulnerabilities to sneak phishing emails through Microsoft's security mechanisms and trick users into clicking links to fraudulent websites. Starting with the ZeroFont attack, adversaries can hide characters in an email and bypass algorithms that match certain keywords. For example, the attacker composes a paragraph and then hides all characters, except those that reconstruct a popular trademark that is likely to be familiar to the recipient (e.g., ©Microsoft Corporation). The attackers then build on top of that using legitimate OneDrive documents (Microsoft's product) to present a login page to the user. Security systems are unable to identify the threat since the fraudulent websites are hosted on Microsoft's servers; users trust those websites since they see Microsoft's domain name in the URL.
IISP Analyst Panagiotis Kintis: "Attacks like this are not new. We have seen them taking place with Google and Gmail, and they have been very successful. The techniques used for these attacks manage to do two things: bypass security mechanisms and trick even experienced and security savvy users. The security systems are prone to such attacks because the adversaries take advantage of the infrastructure they are targeting and, therefore, it is hard to detect the attack. Users at the same time, have been trained to make sure they are typing their credentials into websites they trust and, obviously, they trust the products they use.
The good news is that security systems can evolve and become better at detecting such attacks. Unfortunately, this is very hard to do when it comes to generalizing and detecting variances of attacks. As mentioned earlier, these attacks are not new, but our security countermeasures are still vulnerable to them, primarily because we base our detection on static signatures. It is time to start thinking of ways to take advantage of mature technologies, like Machine Learning, to do the prediction and detection. At the very least, they can be very good consultants during the uphill battles against attackers. By identifying an attack and creating a unique pattern, we can match against what cannot scale. A small change in the attacker's strategy (e.g., combine several techniques) makes our detectors obsolete. However, we have enough knowledge, data, and resources today to do much more than just identify attack signatures.
From the user's perspective, it is really hard to identify such attacks with a naked eye. The golden rule against phishing is "if you did not expect a message, do not interact with it." Curiosity, however, is in our nature. When someone offers to give us millions of dollars for helping them with something trivial, we immediately think "what if it's true." When someone shares a secret document with us and invites us to read it, we immediately think "what could that be." Our credentials, at the time, are a small price to pay for curiosity, and the adversaries know that.
As I have mentioned in the past, technology is only there to help people. People have to be educated and trained to forfeit curiosity and be more careful when it comes to using the Internet. More importantly, phishing can be the stepping stone or the doorway for an attack that might persist over time and affect businesses, governments, and organizations significantly, as we have seen in the past."
For further reading
Computer Business Review: https://www.cbronline.com/news/microsoft-office-365-phishing
The Hacker News: https://thehackernews.com/2018/08/microsoft-office365-phishing.html