While some reports of the Outlook.com phish seem to have incorrectly claimed it was sent to all 400 million users of the service. Intruth the phishing email was sent to a handful of email addresses in the hope that some would be users of the popular Microsoft service, and be duped into providing their user credentials.
We don’t yet know the ultimate goal of the attackers, but we do know they have identified both consumer and business email accounts that use these services. And, that they’re hoping to gain access to that service by duping someone into giving up their user credentials with a convincing looking, but malicious, login page.
Look carefully at the Outlook.com example, and you’ll start to uncover the art of a well-crafted and targeted spear-phishing attack. What we’re seeing, thanks to Chris Boyd and Malwarebytes, could be the start of a well thought out campaign that’s hunting for something quite specific, in effect, the beginnings of a long speculative con. So far, we’ve seen a number of Outlook.com email addresses being targeted, in a seemingly random way, as well as some collateral fallout to other email domains.
The worst case scenario is the attackers know who they are looking for; the best case is that this is random. What’s likely to happen next is that the newly compromised account will be used to target someone, or something else, in order to add an air of legitimacy. The attackers are likely to use a further spear-phishing technique that tricks their target into clicking a link that downloads a malware dropper to their computer.
Once we’re at that stage, we can assume it’ll be game over for the target: their computer will have been compromised, the RAT will likely have given the attackers access, and they’ll be making off with data or moving onto their next target.
All of this could take hours, days, weeks or even months, but be sure the attackers have the patience to wait it out.
For enterprise users, this type of breach could be catastrophic (see Sony Pictures). What starts with a simple phish can end in a whole lot more trouble. Enterprise users are generally well protected by their IT teams, but URIs (URLs in emails) are still not as protected as they should be. Consider how often you click a link in an email without thinking about it, assuming that the IT team have deployed enough protection to keep you safe. In reality, the Outlook.com phish, as well as most other types of spear-phishing, are likely to have made it past your enterprise email security gateway. This is exactly what attackers are relying on – they know a malicious file will never get to you, so they try to trick you into clicking their link.
Therefore, protecting the link is the only real way to defeat this threat, and for the enterprise that means adding another layer to the security stack. A layer that can re-write the link and scan it for malicious end points as it’s delivered to the end user. For business users of Office 365 this means a similar layer of security over and above the already useful Exchange Online Protection.