September 12, 2018

Secure message attack in progress – WST

Be Aware: Widespread “secure message” attack in progress.

We have seen several clients possibly affected by a phishing campaign that appears designed to steal Office365 OAuth2 tokens.  The phishing email itself can vary, but will come from a known sender, and appears to be a secure document delivery message.  The message may contain a PDF attachment, or it may link out to a or another file repository where the PDF file resides.  The PDF file is a variant of the following doc:

The link in the document redirects the user to various landing pages that prompt for Office365 credentials.  The link will generate a token that gives the attacker access to the user’s O365 account.

As this attacker is using compromised accounts to spread the email, the message has a high likelihood of slipping by antispam controls (SPF records check out, and the message itself does not contain any malicious code).

10-D recommends reminding users of proper email awareness and to be extremely wary of any “secure message” messages, even if coming from a trusted sender.

Past Weekly Security Tips – WST