Phishing Attack Targets Microsoft 365 Users With Netflix & Amazon Lures
Cyberattacker TA2552 primarily targets Spanish speakers with messages that leverage a narrow range of themes and popular brands.
Security researchers have been tracking a phishing campaign that abuses Microsoft Office 365 third-party application access to obtain specific resources from victims' accounts. The attacker, dubbed TA2552, mostly uses Spanish-language lures and a narrow range of themes and brands.
These attacks have targeted organizations with a global presence but seem to choose victims who likely speak Spanish, report Proofpoint researchers who have been watching the threat. This activity appeared on the team's radar in January 2020 but could date back to August 2019.
The campaigns follow a similar flow: When a recipient clicks the link, they're redirected to the authentic Microsoft third-party application consent page at login[.]Microsoft[.]com and asked to grant or deny the requested permissions. If the browser isn't authenticated to Microsoft 365, the user is prompted to do so. When they grant consent, the third-party application will be able to access the currently authenticated Microsoft 365 account, researchers explain in a blog post.
With respect to these campaigns, the list of permissions allowed read-only access to data such as the user's contacts, profile, and mail, they say. If the user denies consent, the browser will redirect to an attacker-controlled page, giving the attacker a chance to try and trick them again.
"All permissions we've observed requested thus far have been read-only," the researchers explain. "While that might seem relatively benign, even allowing an actor read access to a user's inbox and contacts can have significant regulatory and privacy consequences." They stress the importance of understanding the risk of permissions requested by third-party apps.
The attack campaign regularly uses messages with Mexican tax and government themes; however, it has branched out to impersonate popular consumer brands. In July, it launched campaigns impersonating Netflix Mexico and Amazon Prime Mexico, researchers report.
Read the full writeup for more information.
About the Author(s)
You May Also Like
Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024Why Effective Asset Management is Critical to Enterprise Cybersecurity
May 21, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024