Share:

By Dylan Main and Harsh Patel, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that attempts to steal Office 365 login credentials by luring employees to accept a new Terms of Use and Privacy Policy. This new campaign has been seen across multiple organizations and uses advanced techniques to garner employee login credentials, including a Google Ad Services redirect to fool email gateways.

Figure 1: Headers

The originating IP in the headers of this email proved its source was coming from a legitimate account with the ‘from’ address “info@jtpsecurity[.]co[.]za” It appeared as though this email address was compromised and then used to send the phish to multiple employees. The word “security” in the from address could potentially lull the user into trusting the email’s origin.

Figure 2: Email Preview

At first glance, the user will see “This message was sent with High Importance.” Again, the from address contains the word security and the subject talks about a “Recent Policy Change,” creating urgency to click and handle the matter immediately.

The email body talks about accepting the newly updated “Terms of Use & Privacy Policy.” Also, it notes how this new policy will affect personal data and discontinue all active services on the user’s account. Curious users will likely want to “Learn More.”

Figure 3 shows the URL embedded in both buttons, “Accept” and “Learn More”:

Figure 3: URL redirect of the buttons

As seen in the above figure, the threat actor has utilized a Google Ad Services redirect to pilot users to their phish. This suggests that the threat actor(s) may have paid to have the URL go through an authorized source. In turn, this easily bypasses secure email gateways and exposes employees to the phish.

Upon clicking on either button, users are redirected to a duplicate of the real Microsoft page at the URL:

hXXps://microsoftoffice-servicepolicy-onlineserver[.]comisys[.]host/common/oauth2-authorize

 On this page users are presented with a pop up of the privacy policy the email mentions. In this window there are two notable logos as well, a Microsoft logo and the user’s company’s logo, in a bid to make this page appear that much more legitimate. Scrolling through the text box you can see the Privacy Statement was taken from Microsoft’s website.

Figure 4: First Page of the phishing attack

After accepting the updated policy, the user is then redirected to a Microsoft login page, which impersonates the Office 365 login page. An employee who enters their credentials and clicks “Next” will have sent the Threat Actor(s) their Microsoft credentials and compromised their account.

Figure 5: Second Page (The actual phishing)

Following the login page, users find further reason to believe the update is legitimate, one more box saying, “We’ve updated our terms.” Upon clicking the “Finish” button, they’ll be all set.

Figure 6: Third Page (Post entering credentials)

Last step: users are redirected to the legitimate Microsoft page, their Service Agreement, to complete the scam. Nothing malicious here!

Figure 7: Final Page (Official Microsoft site)

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops the phishing attacks that elude email gateways.

Indicators of Compromise:

Network IOCs IP  
hxxps://www[.]googleadservices[.]com/pagead/aclk?sa=L&ai=C3seiJpC5XstooZGJBrPArsADp__a3lyH_4PTjAqoqKfonA8QASC7-_keYISV7IXcHaABzavQ-gPIAQmpAt6UwcHeNU0-qAMByANKqgTEAU_Q2dNvWCQ_LtumFUNLEz16PFVhg8cC3HmYEdlxma4KWUfGkvbdLFpKvCC92odSoiBTw9idw1iHRgreOTD1xyzoBBif4axm3JFTnekl_2_OeuLDQv0U_HzVVt10Iu5SkzsX6nGWyfUgPHIgJkxJqY4me8SG8d0nlmJ8PumQhJhze02bPmqEr4puzh2awPAoHoVPQ7QaXlbeJvf4W7Wexg1RGQ0EqMY8Z7YLfyh6tceagXiYGwWU1r3H9HuiISfj4G-RYYTABM-Sru2hAsAFBfoFBgglEAEYAJAGAaAGLoAHm9SvBYgHAZAHAqgHjs4bqAeT2BuoB7oGqAfw2RuoB_LZG6gHpr4bqAfs1RuoB_PRG6gH7NUbqAeW2BuoB8LaG9gHAMAIAdIIBggAEAIYGoAKAZALA5gLAcgLAYAMAeAS_6jY_crtxomjAdgTDg&ae=1&num=1&cid=CAMSeQClSFh3L5xTIDfFt35D8xjVEHFCYXr5NOlTRany4t_BBsFsAp3b7XCD0nSBKDirzhPVamy0H75uzx6gQxh5_rKDAlBAJWTUCf1Tqi6saFbojDtHd_R8dtCePj4ZvH0zHZWyRITLXvztggY2ibrWY9oLm5X8Wcuetvk&sig=AOD64_0L9hd4oCjDoroDTf6-7Fkon2bwsw&ctype=5&client=ca-pub-1169945711933407&adurl=https%3A%2F%2Fmicrosoftoffice-servicepolicy-onlineserver[.]comisys[.]host172[.]217[.]7[.]226
hxxps://microsoftoffice-servicepolicy-onlineserver[.]comisys[.]host/198[.]23[.]137[.]146
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.