Microsoft Issues A Security Alert To Office 365 Users Regarding A Password-Stealing Phishing Campaign.

Microsoft has issued a warning to Office 365 subscribers about a phishing attack that is attempting to steal their identities and passwords.

The Microsoft 365 Defender Threat Intelligence Team informed the public about a phishing attack that puts Office 365 users and companies at risk in a security blog post. The goal of the phishing effort is to obtain the credentials of users, including passwords.

The “open redirect,” an email sales and marketing tool, is used in the phishing attempt. This isn’t a new type of assault; threat actors have previously utilized an open redirect to trick people into visiting a malicious site masquerading as a reputable site, according to ZDNet.

This time, the phishing campaign employs various URLs to entice users to click on them via open redirect. The victims are redirected to a Google reCAPTCHA page after they click the link. The victims will be led to a fake login page, where the attackers will collect their credentials, including passwords.

The fake login page is an attacker-controlled page masquerading as a legitimate service such as Office 365. To prompt the user to provide login credentials, the page mimics Microsoft’s single sign-on behavior.

Some bogus login pages even feature firm logos and branding, making them appear less suspicious to victims.

The page immediately refreshes after the unwary victim enters the password, displaying an error message or a page timed out. This forces the victim to re-enter the information, allowing the attackers to double-check the password they obtained.

The Microsoft 365 Defender Threat Intelligence Team feels that the phishing assault has a significant potential payout. The researchers discovered 350 distinct phishing domains, indicating that the threat actors are concerned about the volume of the attack.

Because 91 percent of cyberattacks are launched over email, Microsoft warns that businesses are at risk. They use a variety of tactics to avoid detection, and they can even fool people who are trained to analyze dangerous objects in emails as they hover over links. Traditional email gateway systems are unable to detect the actors’ harmful settings since they are hidden from plain sight.

Organizations should have a security solution that can provide a multi-layered defense to safeguard their devices from phishing campaigns, according to the business.