September 12, 2018
Secure message attack in progress – WST
Be Aware: Widespread “secure message” attack in progress.
We have seen several clients possibly affected by a phishing campaign that appears designed to steal Office365 OAuth2 tokens. The phishing email itself can vary, but will come from a known sender, and appears to be a secure document delivery message. The message may contain a PDF attachment, or it may link out to a box.com or another file repository where the PDF file resides. The PDF file is a variant of the following doc:
The link in the document redirects the user to various landing pages that prompt for Office365 credentials. The link will generate a token that gives the attacker access to the user’s O365 account.
As this attacker is using compromised accounts to spread the email, the message has a high likelihood of slipping by antispam controls (SPF records check out, and the message itself does not contain any malicious code).
10-D recommends reminding users of proper email awareness and to be extremely wary of any “secure message” messages, even if coming from a trusted sender.