New Phishing Campaign Using Microsoft’s Azure Blob Storage

Two, new email phishing campaigns have been identified with a unique twist.  The first is an email, notifying users of Office 365 that their account is out of date, and the information associated with the account needs to be updated.  This phishing email also threatens users that their subscription will be terminated unless they log in and update their account.

The second phishing email appeared to come from the business-oriented side of Facebook, called Workplace, and tried to trick users into clicking a “View More Posts” link.  Strangely, this link also went to a fake Office 365 login page instead of a fake Facebook page.

The twist on this phishing campaign that makes it stand out from others, is it used Microsoft’s Azure Blob Storage to host the campaign.  This extra creative step gave the attackers two advantages over what we normally tell users to look for, when they are inspecting suspicious emails.  Using Azure Blob Storage adds legitimacy to the phishing campaign because content hosted on the Microsoft service are given a windows.net URL.  To even discerning users, this windows.net address makes the content look as if it is actually coming from Microsoft.  The second advantage this service gave the attackers is that URLs hosted on Azure Blob Storage are given a wildcard SSL certificate.  This means the site had the familiar lock icon next to the URL that we associate with secure web pages.

What Can You and Your Business Do to Avoid These Advanced Traps?

Your users are still your biggest asset in avoiding these scams.  Continued education and reminders about what they should and should not be clicking on, need to be an ongoing process.  Even with these advanced tactics, there are still red flags in this campaign that should have stopped you from clicking.  In the first email, there was a threatening tone that your subscription will be terminated unless you click.  These phishing campaigns are written to create urgency and play on emotions.  The second email was seemingly for a Facebook Workplace page, but then landed users on an Office 365 page.  This is the level of attention needed to navigate these phishing campaigns.

As always, the best advice is to go straight to the source if you question an email.  In this example, instead of clicking the link in the email, type office.com into your web browser, log into your account as you normally would, and see if your account information needs updated.  The same goes for Facebook or Amazon.  If you get a suspicious email, instead of clicking the link, go directly to the site as you normally would, log in, and see if there is an issue.

Educating your users is the best defense against phishing campaigns like these.

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright