VPN Impersonation Phishing Campaign

Summary

Abnormal Security discovered a VPN impersonation phishing campaign where threat actors impersonate a notification from the user’s organization regarding VPN configuration in an effort to steal Microsoft Office 365 credentials. The email contains a malicious link that, if clicked, will direct the user to a Microsoft Office 365 credential phishing website claiming to provide new VPN configuration for home access. Once the credentials are entered, they are sent to the threat actors. This attack can be particularly convincing and successful because threat actors spoof the recipient’s organization domain, host the landing page on a Microsoft-owned platform with a valid Microsoft webpage certificate, and use a URL as the anchor text to hide the real hyperlinked URL.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to avoid clicking links or opening attachments from unknown senders and exercise caution with emails from known senders. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication. Users are advised to enable multi-factor authentication where available to prevent account compromise as a result of credential theft. More information can be found in the Abnormal Security advisory.