Cybercriminals have been using a phishing kit featuring fake Office 365 password alerts as a lure to target the credentials of chief executives, business owners and other high-level corporate leaders. The scheme highlights the role and responsibility upper management plays in ensuring the security of their own company's assets.
In a blog post on Monday, researchers from Trend Micro reported that they uncovered 70 email addresses that have been targeted with the so-called "Office 365 V4 phishing kit" since May 2020, 40 of which belong to “CEOs, directors, owners and founders, among other enterprise employee[s].”
Ryan Flores, senior manager of forward-looking threat research in APAC region at Trend Micro, told SC Media that the finding was pretty striking, because typically you would see a spam or phishing campaign sent to a wide range of email addresses. But this one was “very deliberate” in that it “only sent to really a few people in that organization.”
And very high-ranking people at that: Just over 45 percent of targeted individuals carried the title of CEO. The next most frequently targeted titles were managing director (9.7%) and CFO (4.8%). The attack has spanned a wide range of industry sectors, including manufacturing, real estate, finance, government and technology, and nearly 74% of businesses known to be targeted were located in America.
“Based on the data distribution, CEOs in the U.S. are obviously the main targets of the threat actors that use the Office 365 V4 phishing kit,” the blog post concluded. “As seen in this particular campaign, the attackers target high profile employees who may not be as technically- or cybersecurity-savvy, and may be more likely to be deceived into clicking on malicious links.”
This is why executives must hold themselves to the same security standards that they would want their own employees to meet.
"CEOs and high-level executives are accustomed to being thought of as an organizations’ biggest asset, while increasingly attackers see them as the greatest vulnerability," said Eyal Benishti, CEO at IRONSCALES. "This is a dichotomy that executives must be humble enough to recognize as true, so that they can play an active role in their company’s risk mitigation. Overall, CEOs and other executives must lead from the front and act as a personal example to make sure everyone sees security as a top priority."
If these executives are tricked into giving away their passwords via malicious phishing pages – which are hosted on legitimate sites – then the criminals can use those passwords “for the purpose of conducting additional phishing attacks, gaining access to sensitive information or conducting other social engineering attacks." Business email compromise (BEC) targeting could occur, as could impersonation schemes that target other employees and third-party partners, the blog post noted.
Indeed, Trend Micro pointed to several dark web forums selling compromised executive Office 365 credentials at a cost of $250 to $500. The company could not be certain, however, if the V4 phishing kit was involved.
For that reason, “all employees, regardless of company rank, should exercise caution when reviewing and acting on email prompts for specific actions, especially from unknown sources,” the blog post cautions.
Unfortunately, this isn’t always an easy lesson to get across. According to Flores, CEOs and other top executives sometimes view email security mechanisms or policies as “an inconvenience to them” and because of that, they behave in a way that is “an exception to the rule.”
“We need to realize that these executives do hold a lot of power,” Flores continued. “If they get phished, [the attacker] would be able to control the email account of that particular c-level executive and [be privy to] possible business deals, trade secrets and whatever other business related things are happening.”
Benishti at IRONSCALES agreed that “there is definitely a subset of executives and upper-level management in the business world that does not practice what their organization preaches when it comes to security awareness training." In many cases, executives are even granted higher privileges or use their rank to be excluded from other security controls.
As to why certain executives behave in this risky manner, there are numerous factors.
"Some still believe that they are immune to being duped, even though they are well aware that phishing techniques have evolved in sophistication," said Benishti. "For others, it’s a matter of prioritization. Very few executives believe that the threats to their organization are overblown, but they may not have yet experienced a significant cyber breach, meaning the perception of the risks are not as real or time-sensitive as they should be."
Some senior executives also use a personal assistant to go through emails, which can impact the individual's ability to spot suspicious messages.
There are organizations out there that hold executives to high security standards. Brandi Moore, chief operating officer at Cofense, said her company’s customers “are very engaged with their c-suite, who often play a critical role in promoting the organization’s phishing threat detection program.
"Many of our clients see the CFO and the finance team as the most frequent reporters of phishing attacks to their SOC," she said. "For most of our clients, it’s much more likely that c-level executives are the biggest fans of the phishing simulation program versus believing the threat is overblown.”
Moreover, companies can take steps to help educate their executives on targeted threats by customizing their email security awareness training according to job function. "Phishing simulations and training must be individually tailored to specific departments and roles inside the organization in order to achieve its goals," said Benishti. "There simply is no one-size-fits-all when it comes to simulation and training."
Emails sent as part of the V4 phishing kit scam warned recipients that their Office 365 passwords were about to expire, giving them an option to click on a button that would allow them to keep their current credentials. But as the Trend Micro blog post notes, "legitimate service providers and vendors will never ask individual consumers and enterprise users for details such as account access credentials, and especially not to retain dated passwords.”
The phishing kit, which is available for sale on the dark web, uses several other notable tricks to help avoid detection. For starters, most of the emails were sent via a remote desktop protocol-based virtual private server (VPS) from FireVPS. Flores said this is to bypass certain blacklists by using innocent-looking IP addresses that appear to come from a normal laptop of desktop machine.
The phishing kit also has its own blocklist of domain names and IP address ranges "to ensure that access is blocked when accessed by security companies or large cloud providers," the blog post stated. "We assume the intention is to evade detection by security vendors as the list includes a number of antivirus companies, Google, Microsoft, VirusTotal, and a long list of other cybersecurity and technology companies, as well as public blocklisting sites." Additionally, the phishing kit can detect bot scans and web crawlers.
Additional information on the malicious operation can be found in this October 2020 Odix report.