Fake VPN Warnings Employed as Bait in Office 365 Information Phishing Campaign

A phishing campaign was known to use bogus VPN notifications as a bait so that remote personnel would disclose their Office 365 information.

Healthcare organizations are performing more telehealth services at this time of the COVID-19 public health crisis to help avoid the propagation of COVID-19 and make certain that healthcare companies can keep on providing services to patients while self-quaratining at home.

Virtual private networks (VPNs) are utilized to assist telehealth services and offer them safe access to their system and patient information. A few vulnerabilities were found in VPNs which hackers are taking advantage of to obtain access to company systems to steal sensitive files and install malware and ransomware. Immediate patching is hence crucial for VPN systems and install updates to VPN clients on worker laptops. Personnel may consequently get updates to their VPN.

Abnormal Security research specialists discovered a phishing campaign which impersonates a user’s corporation and remarks there is a situation with the VPN setting that have to be dealt with to let the user to go on using the VPN to get access to the system.

The email messages look like they were dispatched by the IT Support personnel and has a link that has to be clicked to set up an update. The end user is advised in the email message that they have to provide their username and security password to get access to execute the update.

This focus of the campaign are particular establishments and spoofs an internal email account to make it look like that the message came from a known domain. The link comes with anchor text linked to the user’s firm to disguise the right destination URL to make it look reputable. In case the end user clicks the url in the message, they are going to be sent to a web page having a real looking Office 365 sign in prompt. The phishing page is managed on a legit Microsoft .NET platform and so it has has a reasonable safety certification.

The attacker could grab the login information inputted on the web page and use it to acquire access to the person’semail account and get sensitive information in email messages and file attachments, including other information utilizing the Office 365 information via single sign-on.

Abnormal Security identified several phishing emails that make use of several versions of this communication, which were dispatched from various IP addresses. Given that the destination phishing link is identical in each email account, it indicates that the email messages are a section of a similar campaign delivered by just one attacker.