Account Takeover

Artificial Intelligence

Attack Stories

Business Email Compromise

CISO Insights

Company & Culture

Credential Phishing

Customer Stories

Data & Trends

Engineering

Graymail

Industry Research

Malware & Ransomware

Product

Security Solutions

Third-Party App Attacks

Thought Leadership

Threat Intel

Vendor Email Compromise

Blog purple diagonals

Credential phishing attacks are not new, and impersonating Microsoft is well-known at this point. However, this attack is unique because the attacker was not simply asking for email credentials. Instead, the attack uses an app integration to gain full access to a Microsoft account, including email conversations, OneDrive files, and more. 
<h2>Summary of Attack </h2>
<ul><li>Platform: Office 365</li><li>Email Security Bypassed: Office 365</li><li>Victims: Internal Employees</li><li>Payload: Office 365 App</li><li>Technique: Brand Impersonation</li></ul>
<h2>Overview of the Phishing Attack</h2>
In this attack, the attacker leveraged an Office 365 app which, <a href="https://info.phishlabs.com/blog/office-365-phishing-uses-malicious-app-persist-password-reset" target="_blank" rel="noreferrer noopener">according to PhishLabs</a>, was created using information stolen from a legitimate organization. This app requests access to nearly everything in the victim's O365 account—email, OneDrive, contacts, and more. 
The email itself purports to come from Microsoft, asking users to log in to enable additional anti-virus protection on their account. The email looked like a legitimate email from Microsoft and links directly to legitimate Microsoft pages, including a real Microsoft login page.
<figure><img src="https://images.abnormalsecurity.com/production/images/blog/microsoft-credential-email.png?w=1440&h=808&auto=compress%2Cformat&fit=crop&dm=1675097558&s=a9a34677c41ca08089e4800c6628fcd2" alt="" /></figure>
Although the login page the email linked to was a legitimate Microsoft login page, the URL also instructed Microsoft to forward the authorization token to another domain. After the user logged in, this forwarded token would trigger an app to request full access to the victim's Office 365 account. This portion of the URL would not have been easily visible in the browser's address bar.
<figure><img src="https://images.abnormalsecurity.com/production/images/blog/microsoft-credential-permissions.png?w=500&h=638&auto=compress%2Cformat&fit=crop&dm=1675097558&s=8a759062bcab1227a34c8aba103f12fb" alt="" /></figure>
If the user granted the app the access it requested, attackers would take full control of the victim's account. Because access is granted through the malicious app, a password reset would be ineffective—the only way to deny the attacker access to the account would be to delete the app. 
<h3>Why the Attack Bypassed Existing Security</h3>
In this case, the email sent from the attacker looked like a real email from Microsoft and the display name itself said as much. In a unique twist, it offered greater protection for the user's Office 365 account. Nothing about the email, including URLs, looked amiss or illegitimate. Making it even more complicated, the attacker directed the victim to a real Microsoft login page because the point of the attack was not to steal credentials.
The email even said that users would be getting new security capabilities, so they might have even expected the app prompt a full access request to their account. This attack was sophisticated: there was no credential theft since the login page was real, and even if the user realized that this was an attack, changing their password would not block the attacker's access to their account. 
<figure><img src="https://images.abnormalsecurity.com/production/images/blog/microsft-credential-analysis.png?w=1390&h=876&auto=compress%2Cformat&fit=crop&dm=1675097558&s=38ba5c3719831889e019e86ece7d1687" alt="" /></figure>
Abnormal stopped this attack because of the unusual sender address, the unusual reply-to domain, and the urgent language present within the email itself. In an attack that is extremely difficult to stop, and where remediation is much harder than simply changing the password, increased security is vital to prevent compromise. 
See how Abnormal can prevent these attacks for your organization by <a href="https://abnormalsecurity.com/demo?PS=organic%20website" target="_blank" rel="noreferrer noopener">requesting a demo</a> today.

L Blog Author

Abnormal AI

Credential phishing attacks are not new, and impersonating Microsoft is well-known at this point. However, this attack is unique because the attacker was not simply asking for email credentials. Instead, the...

Attackers Compromise Office 365 Accounts without Stealing Credentials

Blog green glass building

Executive impersonation is one of the most prevalent forms of business email compromise because it is typically easy to do. The attacker only needs to know the name and job type of a high-profile executive, and then they can use that name to prompt unsuspecting employees to send wire transfers, buy gift cards, or provide access to sensitive data. In this case, an executive was impersonated to commit vendor invoice fraud. 
<h3>Summary of Attack</h3>
<ul><li>Platform: Office 365</li><li>Email Gateway Bypassed: IronPort</li><li>Victims: Accounting Employee</li><li>Payload: Invoice Attachment</li><li>Technique: Executive Impersonation</li></ul>
<h3>About the Executive Impersonation Attack</h3>
In this attack, the threat actor posed as an executive at the organization and asked an employee in accounting to pay an invoice, but failed to attach the invoice to the initial email. This may have been intentional in an effort to fool traditional email security systems and start the conversation. Once the employee in accounting responded to the initial email, they received the second email shown here. 
<figure><img src="https://images.abnormalsecurity.com/production/images/blog/executive-impersonation-email.png?w=1024&h=698&auto=compress%2Cformat&fit=crop&dm=1675097558&s=b68332c384ee67efe2dd3cea48527b3a" alt="" /></figure>
The attached invoice looked legitimate but contained banking information that would've routed the wire transfer to an account that the cybercriminal owned. 
<figure><img src="https://images.abnormalsecurity.com/production/images/blog/executive-impersonation-invoice.png?w=1024&h=719&auto=compress%2Cformat&fit=crop&dm=1675097558&s=0ff1c3df80d7d5d809e149365f7b8d71" alt="" /></figure>
 
While Abnormal caught the attack, had it been successful, the attacker would have stolen nearly $43,000 from the targeted organization.
<h3>Why the Invoice Fraud Attack Bypassed Existing Security</h3>
As part of the attack, the attacker posed as an executive communicating with a low-level employee. This is purposeful, as the low-level employee would have recognized the name and thus would have been more likely to engage with the attacker. In addition, the attacker asked his victim to pay the invoice immediately, and this urgency often causes employees to forego the scrutiny they should be giving these types of email requests.
The attacker was able to bypass Microsoft Exchange Online Protection and Defender for Office 365 by using new or existing domains that did not have a negative reputation. However, Abnormal was able to catch this email due to the mismatch between the display name and the email address, as well as an abnormal email response. 
<figure><img src="https://images.abnormalsecurity.com/production/images/blog/executive-impersonation-analysis.png?w=1024&h=593&auto=compress%2Cformat&fit=crop&dm=1675097558&s=2b537632bcec6a5a8f29e29248c930e3" alt="" /></figure>
These factors, combined with the suspicious financial request, made it possible to understand that this attack was malicious. 
Want to see how Abnormal can catch executive impersonation attacks at your organization? <a href="https://abnormalsecurity.com/demo?PS=organic%20website">Request a demo</a> to get started.

Executive impersonation is one of the most prevalent forms of business email compromise because it is typically easy to do. The attacker only needs to know the name and job type of a high-profile executive, ...

Executive Impersonated in Vendor Invoice Fraud Scheme

Demo

Schedule a Demo

B EDU Duo MFA Threat Intel Report Blog

Author Callie Hinman

Callie Baron

Author Piotr Wojtyla

Piotr Wojtyla

A phishing campaign targeting higher education steals credentials and Duo OTPs to compromise accounts, exfiltrate data, and launch lateral attacks.

Attackers Steal Duo OTPs to Compromise Higher Ed Accounts

Defensive AI Meets Cover pptx

Jaroslav Kalfar Photo

Jaroslav Kalfar

As the battle between good AI and malicious AI plays out in cloud email environments, CISOs are turning to behavioral intelligence to keep pace.

Defensive AI Meets the Inbox: The CISO Guide for the AI Arms Race

B 1500x1500 BLOG AI Phishing Coach Product Announcement

E03 C83 N442 J U047 UPX5 KLL 1305a10bd70a 512

Ryan Schwartz

Discover how Abnormal transforms security training with personalized phishing simulations, real-time coaching, and fully autonomous program management.

Introducing AI Phishing Coach: Personalized, Autonomous Security Awareness Training

B Vendor Email Compromise Case Study Blog

Author Elizbeth Swantek

Elizabeth Swantek

See how a real vendor email compromise attack fooled multiple employees. Learn why VEC succeeds and how AI makes these threats more dangerous.

Thread Hijacked: Breaking Down a Real Vendor Email Compromise Attack

Email Subscribe

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Homepage

Breadcrumbs

Abnormal AI provides advanced email security to prevent credential phishing, business email compromise, account takeover, and more.

Learn about the latest cybercrime attack types and email security data trends and discover the latest product and company announcements from Abnormal.

Email Security Blog

description

cybersecurity, insight, news, team, latest, experts

keywords

https://images.abnormalsecurity.com/production/images/L_Abnormal-homepage_Opengraph.png?w=1200&h=630&q=82&auto=format&fit=crop&dm=1740090372&s=5d61b4c2e242be3ca70dfe1d54859b11

referrer

robots

twitter:card

twitter:creator

twitter:description

https://images.abnormalsecurity.com/production/images/T_Abnormal-homepage_Opengraph.png?w=800&h=418&q=82&auto=format&fit=crop&dm=1740090398&s=d6f915fc8861f3928b09a79dae44e4be

twitter:image

twitter:image:alt

twitter:image:height

twitter:image:width

twitter:site

twitter:title

{"title":{"title":"Email Security Blog | Abnormal AI"}}

Keep up with the latest news in cybersecurity with insight from our team of experts.

Abnormal Blog

See How Abnormal AI Protects Humans