Blob Phishing Attack on O365 (part 3)

Phishing attacks are getting more sophisticated every day. A new threat that is targeting Office 365 users is called Blob Storage Phishing. Hackers send emails that look real and that contain a link requesting users to log into their Microsoft 365 accounts to update their information. The link takes users to a Microsoft landing page that looks legitimate. Hackers can then steal a user’s passwords from the form he or she fills out. The fact that perpetrators are using windows subdomains makes these landing pages look more believable.

Office 365 Security

The image above is the landing page of an attack if it were sent to a user in an email. The URL looks more authentic than most attacks because the domain is real, and it has the word “windows” in it. The domain is also SSL protected, making it seem more convincing. Luckily, there are a few ways to stop these attacks before they happen. Here’s how:

Custom Inbox Rules

1) If you have access to the Exchange Admin Center, there is a rule you can add so that you are notified if one of these fake emails enters your domain. You can go to mail flow and add a new rule. Office 365

This rule can notify your IT team if someone’s email contains a false link. The IT team will have to approve the email before forwarding it on to the recipient.

2) The other rule you may add is spoof protection, which will protect you from receiving an email that comes from outside of your organization, even if it looks like it has your domain.

Office 365 blob

If you are the end user and have received an email with the link web.core.windows.net, please let your IT staff know. The way to see a link before clicking it is to mouse over the link and read the path it will send you to before clicking.

Remember that official Microsoft pages will be hosted on microsoft.com, live.com, or outlook.com. As always, you want to be cautious of any email, regardless of URL, when it asks you to sign in with your credentials.