Compromising an employee’s email account can be profitable and even a disruption by inserting malware, but being able to gain access to an email domain’s administrator account is the winning lottery ticket for attackers. With that being said, it is essential to be aware of phishing scams that are not necessarily targeting an organization’s users, but more specifically, their administrators.
Phishers targeting admins are becoming more popular due to the simple fact that there are more of a range of attacks that can be executed through an admin account. Think about it, an admin account holds credentials to important platforms including bank accounts, internal platforms, and more. With admin credentials, attackers can potentially create new accounts under an organizations domain, send mail as other users, and read others user’s mail.
Phishers have started creating campaigns that are disguised as Office 365 administrative alerts to gain access to an administrators account. These alerts will generally be about a time-sensitive issue that requires an admins immediate attention such as an issue with the mail service, unauthorized access being discovered and more.
What Do Office 365 Admin Phishing Emails look like?
An example of a fake email alert below, is one that states an organization’s Office 365 licenses have expired, the mail also tells the user to login to the Office 365 Admin Center to check their payment information.
Another phishing email commonly seen is a phisher pretending to be from Office 365 alerting the admin that someone has gained access to one of their user’s email accounts. It then prompts the admin to “Investigate” the issue by logging in.
As expected, if you click on the links in the phishing email you will be brought to a phishing landing page that requests you to enter your Microsoft credentials. Often, the fake landing page links will bring you to a fake Microsoft Login page, looking almost identical to the actual Microsoft login page even having the page hosted windows.net domain on Azure. Using Azure and Windows.net domain adds legitimacy to the login page making it just another factor to better trick the admin. To make it even more convincing, attackers have phishing pages hosted on Azure that are secured using a certificate from Microsoft similar to the image below.
If an admin falls victim to this trick and enters their credentials, in the page they will be stolen by the attackers. The attacker will then be able to gain access into the Office 365 admin portal unless there is some sort of two factor authentication in place.
Phishing scams like these are happening way too often and admins are falling victim to them with little to no proper security training. Speak to your team, regularly schedule security trainings and include things to look out for such as scam emails with the notes previously mentioned above. It’s always better to be prepared than become another victim at risk or even losing your precious data