Email security, Vulnerability Management

VIP impersonation attack on a Microsoft Office 365 environment targets 100,000 mailboxes

Microsoft logo
A Microsoft logo is illuminated at a trade show. (Photo by David Ramos/Getty Images)

Researchers reported that they used natural language understanding to thwart a VIP impersonation attack on a Microsoft Office 365 environment that targeted 100,000 mailboxes at a large educational institution.

In a Dec. 20 blog post, Amorblox researcher Lauryn Cash explained that the attackers spoofed the emails of two top directors, then sent emails in the alleged top-level individual’s name, including a signature that consisted of the director’s full name, credentials and title at the organization.

Instilling a level of urgency with the victim, the attackers claimed that a confidential task needed to be completed in an “Urgent request” to trusted employees that these directors work with regularly that warranted a response by the employee.

Cash said the attackers would then look to obtain confidential business data, user login credentials, and make requests for gift card purchases, bank accounts and routing numbers, which once obtained could then launch targeted and financially damaging attacks.

By using natural language understanding, Cash said Armorblox identified the scheme and blocked the email from ever reaching the victim.

While it’s possible to also view this attack as business email compromise, the wide scale of this (the entire organization) could also be threat actors looking to embed themselves more deeply in the organization, said Bud Broomhead, chief executive officer at Viakoo. 

“The recent trend towards cross-platform botnets, where the infection can come from Windows machines then spread to Linux and IoT devices, makes it possible that this attack was aiming at planting bots within the organization,” said Broomhead. “In addition to layering multiple cybersecurity solutions, organizations should assess and monitor their Linux and IoT assets so that the spread of malware laterally within the organization can be contained.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.