August 11, 2020

Volume X, Number 224

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

Phishing Attacks Target Office365 Administrators

As reported today by Help Net Security, hackers are targeting Microsoft Office365 administrators in a new phishing campaign that can obtain and confirm credentials in real time.  According to the article the attack begins with a fake Office365 notification where all the links in the message link back to fake Office365 sites at the domain. A script on the fake site checks the validity of the administrator’s credentials in real time via an IMAP connection back to the real Office365 portal. If the credentials authenticate successfully, the attackers download the entirety of the administrator’s mailbox via the IMAP connection completely undenounced to the administrator. Finally, the administrator is redirected to their actual MS Office365 Exchange Online mailbox.

This style of attack is particularly dangerous because the administrator’s email is exfiltrated in the background and can easily go completely unnoticed. Once complete the hackers have offline access to the email data indefinitely and can then data mine any useful information necessary to either further their campaign or monetize the data. It can also provide the hackers the ability to make further changes to victim organization’s Office365 tenant.

Avoiding this type of attack is relatively easy by conforming to industry best practices. As outlined in the article by Help Net Security;

  1. Enable multi factor authentication on all accounts.

  2. Disable the IMAP protocol on all mailboxes in your environment.

  3. Provide administrators two different Office365 accounts, one for daily use associated with their user account that does NOT have administrator privileges and one specifically for performing administrator functions.

  4. Do not have a mailbox associated with any administrator accounts.

  5. Be aware that the actual Office365 portal domain is not

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume IX, Number 205


About this Author

Sean Lawless Security infrastructure manager Robinson Cole
Infrastructure & Security Manager

Sean is Robinson+Cole’s Infrastructure & Security Manager, a member of the firm’s Data Privacy + Cybersecurity Team, and a non-attorney contributor to the Data Privacy + Cybersecurity Insider blog. He has spent more than a decade helping professional services organizations in various industries, develop and implement practical information security programs based on industry standard frameworks. Sean holds a Bachelor of Science degree from the University of Connecticut and is a member of several cybersecurity professional organizations.

(360) 671-8112