Fake VPN Notifications Used as Lure in Office 365 Credential Phishing Campaign

A phishing campaign was discovered that uses fake VPN warnings as a lure so that remote employees would reveal their Office 365 credentials.

Healthcare companies are doing more telehealth services throughout the COVID-19 public health emergency in order to help avert the spread of the coronavirus and make sure that healthcare providers can continue to give services to patients who are self-isolating in their house.

Virtual private networks (VPNs) are employed to support telehealth services and give them secure access to their network and patient records. A number of vulnerabilities were identified in VPNs which threat actors are exploiting to get access to organization networks to steal sensitive information and deploy ransomware and malware. Prompt patching is thus important for VPN systems and updates VPN clients on employee laptop computers. Workers may for this reason update their VPN.

Abnormal Security researchers found a phishing campaign that impersonates a user’s company and asserts there is an issue with the VPN configuration that should be resolved to permit the user to keep using the VPN to gain access to the network.

The emails seem like they were sent by the IT Support staff and contain a URL that should be clicked to get an update. The employee is told in the email that they need to give their username and password to sign in to do the update.

This target of the campaign are specific businesses and spoofs an internal email to make it seem like that the email was sent from a trustworthy domain. The URL includes anchor text associated with the user’s company to conceal the real destination URL to make it seem trustworthy. When the user clicks the link in the email, they will be directed to a site with an authentic Office 365 login prompt. The phishing website is hosted on a genuine Microsoft .NET platform thus it has has a valid security certificate.

The attacker can get the login credentials typed on the website and use it to gain access to the user’s email account and acquire sensitive data in emails and attachments, along with other data using the Office 365 credentials through single sign-on.

Abnormal Security discovered a number of phishing emails that employ different variations of this email message, which were sent from a number of IP addresses. Since the destination phishing URL is similar in each email, it recommends that the emails are a part of the same campaign sent by a single attacker.