Enterprise Cloud Services Phishing Campaign

Summary

A new phishing campaign utilizes enterprise cloud services – such as Microsoft Azure, Microsoft Dynamics, and IBM Cloud – in an attempt to steal login credentials. Cyber-criminals impersonate help desk staff via quarantined mail notifications seemingly sent from noreply[@]servicedesk[.]com that provide the option to release emails to their inbox. The phishing emails contain a button labeled "RELEASE MESSAGES" or "CLEAN-UP CLOUD" that, if clicked, directs the target to a legitimate Microsoft Dynamics 365 URL that redirects to an IBM Cloud domain hosting the phishing landing page. Submitting a password into the form on this page that does not meet password complexity requirements will result in a "wrong password" error; however, if the password submitted does meet the requirements, the target’s credentials are stolen in the background and they are directed to another fraudulent page hosted on Azure. This page informs the target that their account has been updated and redirects to the website of the target’s email domain. Phishing campaigns using enterprise cloud services add legitimacy since they automatically provide free SSL certificates and could potentially bypass spam filters and security products.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to exercise caution with links, attachments, and spoofed domains received from unknown contacts; navigate directly to authentic vendor websites; and keep applications up to date. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication. We advise users to review the NJCCIC product  Don’t Take the Bait! Phishing and Other Social Engineering Attacks and Cybersecurity Best Practices webpage for more information on how to keep accounts and data safe.