Caleb Boma | January 21st, 2021

Threat actors are very intelligent when it comes to infiltrating and phishing, but this doesn’t mean they won’t make mistakes. Researchers at two security firms published a combined report where they analyzed threat actors behind a lengthy phishing campaign left over 1,000 login credentials for Office 365 accounts exposed.

The phishing scam has lasted over 6 months and uses multiple sites to host their phishing pages.

The campaign itself was quite successful for the threat actors as they made their way around general email protection, but the stolen credentials were publicly available by simply doing a Google search. The credentials were published on a public file of which Google could index.

Those behind the attack also compromised WordPress servers so they could host the PHP page given to victims of the campaign. Using emails, the threat actors collected login and password information with fake forms. One instance discovered by the security researchers was a Xerox scan within an HTML link.

SpearTip experts don’t recommend clicking links where you don’t know the sender. For those victims who did click the link, it may have been tough to realize the dialog box wasn’t real. A JavaScript code runs once the link is clicked and checks to make sure credentials are valid. The credentials are then shipped off to the threat actor’s server and uses the pop-up dialog box as diversion. It displays the Microsoft dialog box over an image with the user’s email already implemented and password form open.

Be wary of what you’re clicking on and realize these are the types of intrusions where entire networks can be taken down. No organization wants to experience widespread disruption because it can halt operations and diminish brand value. Leave the protection of your data and environment to a trusted firm like SpearTip.

SpearTip’s Security Operations Center (SOC) specializes in preventing malware from entering networks. Our engineers work 24/7 hours a day to monitor environments for malicious activity. As threat actors continue to be pervasive, we will remain attentive to their evolution.

If your organization experiences a breach, call our incident response hotline at 833.997.7327.