Over the last month, more than 5,000 fake notifications purported to be from Microsoft have been identified as being used during ongoing email compromise campaigns. Researchers with Check Point Harmony Email & Collaboration said that the attacks utilized "exceptionally sophisticated obfuscation techniques" that make it all but impossible for targeted users to distinguish them from the genuine article. Here's what you need to know and do.
The Check Point research team has been busy analyzing phishing emails as reported by its zero-day threat prevention platform. Within the space of a single month, the researchers said, it has uncovered more than 5,000 spoofed notifications being used as part of a sophisticated phishing campaign. That these are impersonating Microsoft comes as absolutely no surprise to anyone, considering that the company is at the top of the brands to impersonate for clout by cybercriminals. Microsoft emails have been in the news recently as they were being hacked by a man accused of a hack-and-trade fraud, but this is an entirely different kettle of malicious phish.
To make things more complicated for the recipients of these notification emails, they don't appear to have come from either private or anonymous domains, a giveaway for most people in this cybersecurity awareness month. Instead, the researchers said, they are way more convincing as they appear to come from organizational domains impersonating legitimate administrators.
This is just one of the "sophisticated obfuscation techniques" the researchers found the attackers to be using in order to hide the malicious intent of the emails. Others included the use of cut-and-paste privacy policy documents from Microsoft itself, lending an additional air of authenticity to the emails.
All of that said, the technical mechanics of the attacks are pretty standard it would seem. The email notification itself includes a fake login page or portal used by the attacker to either deliver malicious software or collect account username and password credentials. Some have been noted as having links to Microsoft or Bing pages in another effort to make it harder for some security protections to recognize and mitigate the threat.
Check Point's "5,000 Fake Microsoft Emails That Your Employees Could Fall For" report recommends organizations take the following mitigations in order to avoid becoming a victim of this latest phishing campaign.
Awareness training: although, to be honest, given the quality of generative AI-based text these days, it has become much more complicated than to simply rely upon the type of "watch out for grammatical errors and stylistic inconsistencies" training of old. Far better to use examples of actual, current, campaigns and drill the don't click message into users.
AI-powered email security: well, Check Point would say that, obviously. However, more and more security solutions now come with an AI-element that can leverage behavioral analysis with machine learning to spot frauds that humans find harder to recognize.
Patching: an old favorite, but still a much-underrated mitigation. Organizations keeping software and firmware up-to-date are less likely to get caught up in campaign payloads that rely upon the exploitation of known vulnerabilities.