A phishing campaign bent on stealing Microsoft login credentials is using Google Firebase to bypass email security measures in Microsoft Office 365, researchers said.
Researchers at Armorblox uncovered invoice-themed emails sent to at least 20,000 mailboxes that purport to share information about an electronic funds transfer (EFT) payment. The emails carry a fairly vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contain a link to download an “invoice” from the cloud.
Clicking that link begins a series of redirects that eventually takes targets to a page with Microsoft Office branding that’s hosted on Google Firebase. That page is of course a phishing page, bent on harvesting Microsoft log-in information, secondary email addresses and phone numbers.
The attackers could use the information to take over accounts and steal information, but they could wreak other havoc as well.
“Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances and family members,” according to Armorblox.
The link in the email claims to download a file called “Payment Notification – PDF.” It takes users to a landing page, which researchers said has a supposed “download” button on the top right. Hovering over the link shows that the file is hosted on Google Firebase, which is a development environment for building custom web and mobile apps – for, say, internal enterprise use.
“The downloaded ‘invoice’ might have PDF in its file name, but it’s actually an HTML file,” explained Armorblox researcher Rajat Upadhyaya, in a blog on Thursday. “Opening an HTML file loads an iframe with Office 365 branding. The page displays a thumbnail along with a link to view the invoice.”
Clicking the thumbnail or “View File” link leads to the final phishing page, asking victims to log in with their Microsoft credentials, and asks them to provide alternate email addresses or phone numbers – an effort to collect data that could be used to get around two-factor authentication (2FA) or account recovery mechanisms.
After the details are loaded, the login portal reloads with an error message, asking the user to enter correct details.
“This might point to some backend validation mechanism in place that checks the veracity of entered details,” Upadhyaya said. “Alternately, attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.”
The campaign is perhaps most notable for the bevy of tactics employed to avoid email security defenses.
“This email attack bypassed native Microsoft email security controls,” the researcher noted. “Microsoft assigned a Spam Confidence Level (SCL) of ‘1’ to this email, which meant that Microsoft did not determine the email as suspicious and delivered it to end-user mailboxes.”
For one thing, the redirect flow is complex, which helps mask the malicious nature of the messages, according to Upadhyaya, who noted that this kind of obfuscation is a common tactic to thwart security defenses that check for fake login pages.
“Clicking the email link goes through a redirect and lands on a page with the parent domain ‘mystuff[.]bublup[.]com,'” he said. “The redirect has the parent domain ‘nam02[.]safelinks[.]protection[.]outlook[.]com’, showing that the link was rewritten by native Microsoft security controls even though it was a malicious link.”
Interestingly, by hosting the phishing page HTML on Google Firebase, an inherently trusted domain, the emails were able to nip past built-in Microsoft security filters, including Exchange Online Protection (EOP) and Microsoft Defender for Office 365.
“Reputed URLs like that of Firebase will fool people (and email security technologies) into thinking that clicking the link will retrieve the invoice whose thumbnail is displayed,” the researcher said.
Firebase has been leveraged in previous attacks; for instance, last year a series of phishing campaigns using Google Firebase storage URLs surfaced, showing that cybercriminals continue to leverage the reputation of Google’s cloud infrastructure to dupe victims and skate by secure email gateways.
And finally, the emails also passed authentication and anti-spoofing measures using a mass-email system used for newsletters and other legitimate communications.
“The email was sent from a personal Gmail account via SendGrid,” Upadhyaya said. “This resulted in the email successfully passing authentication checks such as SPF, DKIM and DMARC.”
DMARC (Domain-based Message Authentication, Reporting & Conformance) is considered the industry standard for email authentication to prevent attackers from sending mails with counterfeit addresses. It does so by authenticating the sender’s identity before allowing the message to reach its intended designation – and verifying that the purported domain of the sender has not been impersonated.
For better protection against email-borne threats, employees should be trained to engage with emails related to money and data with an “eye test” that includes inspecting the sender name, sender email address, language within the email and any logical inconsistencies within the email (i.e., if a supposed PDF file has an HTML extension), according to Armorblox.
Other defenses include implementing 2FA and implementing password management best practices.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!