New Phishing Emails Posing as Office 365 Non-Delivery Messages

Cyberattackers will try anything to get into enterprise networks. With the movement of many applications to the cloud, new creative techniques seem to appear every day. Users of Microsoft Office 365™ have been a particularly big target as more and more organizations move their office applications to the cloud, including their email.

Recently, we examined phishing attempts where Office 365 users were baited into clicking malicious SharePoint URLs in emails from real Office 365 free trial accounts. This latest attack type takes a somewhat similar approach, but instead of fake SharePoint URLs, attackers try to entice their victims into giving up their login credentials by sending fake Office 365 non-delivery emails.

Discovered by researcher Xavier Mertens at the SANS Internet Storm Center, this insidious new phishing attack presents itself as a non-delivery receipt (NDR) email, stating that “Microsoft” had discovered several undelivered emails from the targeted individual. The sender of the NDR email impersonates the postmaster service for your organization’s email system.

From there the email prompts the target to click a “Send Again” button to try and get the emails sent again. If the target clicks that link, they are brought to a fake Office 365 login page where they are prompted to enter their account password. The login page even enters the target’s email address to make things appear more legitimate and trustworthy!

At that point, the attacker has the target’s credentials (generally their Active Directory credentials) and can gain access to their enterprise network—and all that entails.

How to fight back against Office 365 phishing

Phishing for Office 365 credentials—really, Active Directory credentials for most—has become a key focus of cybercriminals. Why? They really are the keys to the enterprise kingdom. 

If your organization is not using multi-factor authentication—and many are not—once credentials are collected the attacker can login to that users’ Office 365 account at their leisure to read their email, collect files from SharePoint and further spread the attack by conducting internal phishing campaigns. Who is not going to click on a link or attached file that came in an email from a colleague in your same organization?

Are organizations even providing security for internally-generated emails? 

The best antidote to this security challenge is a mix of security controls, including multi-factor authentication, strong anti-phishing controls on both inbound and internally-generated emails, as well as broad security awareness training for all users.

When combined, these security steps will greatly reduce the probability of a successful attack such as the one highlighted here from getting home.