| Over the past several weeks, the NJCCIC received reports of unauthorized account access facilitated by phishing campaigns. While the targeted accounts varied, the images in this post originate from a campaign that aims to access users’ Microsoft 365 accounts and uses tactics and techniques similar to other phishing campaigns. The initial phishing email typically directs the user to click on a link to view a message or document. Cybercriminals often give the document a name to feign the sensitivity or urgency of the document’s content. If clicked, the link will likely lead to a fraudulent login page, as noted in Image 1. |
| Image 1 |
| Once an email address or username is submitted, the user will be prompted to provide their password. In Image 2 below, the prompt states that the user is being asked to verify their password because of the sensitivity of the information they are accessing, which is an attempt to decrease the user’s suspicions. |
| Image 2 |
| Once the password is submitted, the user is often prompted to reenter it as if they submitted it incorrectly, as noted in Image 3. This tactic is likely used to ensure that the user entered their correct password into the form. |
| Image 3 |
| After submitting the password a second time, the user is redirected to the Microsoft 365 Service Status webpage to appear as though the user was successfully logged in, as noted in Image 4. In other campaigns, the user may be redirected to the official Microsoft 365 login page, and they may assume this occurred because they entered their login information incorrectly. |
| Image 4 |
| Recommendations |
| Refrain from clicking links or opening attachments delivered in suspicious or unexpected emails, even from known senders, and only submit account credentials on official websites. If you are unsure of the email’s legitimacy, contact the sender via a separate means of communication – such as by telephone – obtained from trusted sources before taking action. if a password is entered into a fraudulent login form, revoke active session tokens, immediately change the user’s password, ensure multi-factor authentication is enabled and choosing a more secure method (authentication app, biometric, or hardware token) where available. Additionally, remove any unauthorized auto-forward, auto-delete, or reply-to rules created for compromised email accounts. Organizations that identify compromised accounts on their networks are encouraged to lock the users’ accounts, identify any malicious emails sent during the compromise, and notify recipients. If mailbox auditing is enabled, review the logs to identify which mailboxes were accessed or had access attempts made without authorization. Email account compromises typically precede ransomware infections. Efforts to recover these accounts should also include analyzing any suspicious activity (such as attempts to elevate privileges, create new rules or users, or move laterally) that could indicate broader network compromise. Review the Trustwave blog post detailing a new technique used by Tycoon2FA to compromise Microsoft 365 accounts. |