sb-as logo
Story image

Phishing attack exploited Samsung, Adobe servers for Office 365 credentials

Yet another phishing campaign has been unearthed, with researchers from Check Point exposing efforts by cyber attackers to harvest login credentials stored in Microsoft Office 365 accounts. 

The campaign used seemingly credible web domain names to lure its victims and bypass security filters, including from Oxford University, Adobe and Samsung.

The campaign began by hijacking an Oxford email server, which attackers then used to send malicious emails to victims. These emails contained links that redirected to an Adobe server used by Samsung in the past, enabling hackers to leverage the façade of a legitimate Samsung domain to successfully trick victims. 

The emails attempted to convince victims that a voice message was waiting in a voice portal, and to hear the message victims needed to click a button labelled ‘listen/download’.

This link led victims to a login page where they were entreated to share their Office 365 login credentials, ostensibly giving attackers access to their email accounts.

Most of the emails came from multiple generated addresses belonging to legitimate subdomains from different departments at the University of Oxford, according to researchers from Check Point.

Attackers did this by compromising one of Oxford’s SMTP servers – which is charged with sending, receiving and relaying outgoing mail between email senders and receivers.

With control over this server, attackers were able to pass the reputation check required by security measures for the sender domain.

To successfully bypass email security solutions and add perceived legitimacy to their campaign, attackers used Google and Adobe open redirects. 

In this case, the links in the email redirected to an Adobe server previously used by Samsung during a 2018 Cyber Monday marketing campaign. 

This meant the link embedded in the original phishing email is part of the trusted Samsung domain stem – but instead of leading to a legitimate Samsung domain, it redirected victims to a website hosted by the hackers. 

By using the specific Adobe Campaign link format and the legitimate domain, the attackers increased the chances for the email to bypass email security solutions based on reputation, blacklists and URL patterns.

“What first appeared to be a classic Office 365 phishing campaign, turned out to be a masterpiece strategy: using well-known and reputable brands to evade security products on the way to the victims,” says Check Point manager of threat intelligence Lotem Finkelsteen. 

“Nowadays, this is a top technique to establish a foothold within a corporate network.

“Access to corporate mail can allow hackers unlimited access to a company’s operations, such as transactions, finance reports, sending emails within the company from a reliable source, passwords and even addresses of a company’s cloud assets," says Finkelsteen.

“To pull the attack off, the hacker had to gain access to Samsung and Oxford University servers, meaning he had time to understand their inner workings, allowing him to go unnoticed.”

Check Point has informed Oxford University, Adobe and Samsung of its findings.

Story image
Banks failing customers when it comes to mobile app security
"Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits, and the phone number associated with a victim's card.”More
Story image
Attivo Networks raises the stakes against 'Ransomware 2.0'
“Advanced human-controlled ransomware can evade endpoint security controls and after initial compromise, move laterally to cause maximum damage, do data exfiltration and encrypt data."More
Story image
Surge in encrypted malware prompts warning about detection strategies
“If you are not decrypting and scanning your secure web connections, you are likely missing a large majority of malware,” the report states.More
Story image
60% of IT managers think email cyber-attacks are 'inevitable' - report
Mimecast has released its latest State of Email Security report, which surveyed over 1,000 IT decision-makers on their view of the current state of cybersecurity.More
Story image
HackerOne launches penetration testing to empower digital transformation
“In today’s agile environments, pentest platforms should seamlessly integrate with every aspect of the software development lifecycle so that findings are quickly pushed to the right developer and vulnerabilities are fixed faster."More
Story image
Illumio launches Zero Trust endpoint protection solution for our digital, remote world
“As organisations were forced to transform overnight to allow for remote work, a host of endpoint security issues that have either been ignored or invisible until now were brought to the forefront."More