fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Office 365 Phishing Runs Real-Time Check Of Stolen Domain Logins

Office 365 Phishing Runs Real-Time Check Of Stolen Domain Logins

Threat researchers investigating phishing attacks encountered a less common technique in spear-phishing aimed at a senior executive at a top American company.

The code behind the phishing page made sure that the threat actor got the right credentials for the company Active Directory and performed redirects to hide the attempt.

Also read: 10 Government Data Leaks In Singapore: Prevent Cybersecurity

Well-planned attack

Testing logins in real-time is an unusual technique that allows the attacker to adapt their response based on the received feedback.

The attack started with an email delivered on a Friday, at the end of business hours, with a subject and attachment referring to an internal financial report. A short message informs of a payment remittance report being available.

Opening the attachment launches a web page that looks like the legitimate Office 365 login page. This method is convenient for bypassing typical URL protection from Secure Email Gateway solutions.

A clue to the targeted nature of the attack is the fact that a recent rebranding effort from the company resulted in different email addresses used for communication and Active Directory (AD) authentication.

It appears that the threat actor was aware of this detail. They sent the phishing email to the correct address and filled the right AD username in the fake Office 365 login field on the landing page.

Researchers at Armorblox, a company protecting against targeted email attacks, analyzed the phishing attempt and noticed that the hackers verified the credentials immediately after getting them using Office 365 APIs.

The researchers confirmed this by testing mock credentials on the phishing page. The attempt appeared in the logs for the Azure Active Directory.

“Our threat researchers verified the real-time nature of the site by updating the script with a test login and a dummy password and saw a failed login attempt from Provo, Utah in the Azure Active Directory Sign-In portal. As expected, the IP address (162.241.120.106) that attempted the sign-in is the same endpoint the phishing script sends the credentials” – Armorblox

The attackers also made sure to scatter their traces as much as possible to make tracking them more difficult. As such, their infrastructure used serviced from all over the world,

They used the Amazon Simple Email Service to send out the phishing message, registered the domain for the phishing page at Alibaba with a domain registrar in Singapore, and hosted the website at a datacenter in Provo, Utah, operated by a provider in India (UnifiedLayer).

Using Amazon SES to deliver the email kept spam alarms silent since the service supports DKIM/SPF, increasing the reputation of the message.

In their blog post today, ArmorBlox says that checking the validity of the logins for Active Directory authentication allows the attacker to adapt their next step; and if successful, they can compromise the account before any remediation action, establishing a foothold that could makes cleaning operations more difficult.

They summarized the complete chain of attack in the following picture:

Also read: How To Anonymised The Data: What Are The Importance Of This?

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us