Malicious actors have recently been targeting Microsoft Office 365 users in two separate scams – one that distributes the TrickBot information-stealing trojan via a fake website and a phishing campaign that sends fake alerts with the intent to take over the accounts of email domain administrators.
The scams are respectively detailed in a pair of reports from Bleeping Computer. The first report credits MalwareHunterTeam with uncovering a fake Office 365 site that displays a fake alert to site visitors, falsely stating that their browsers need an update.
Clicking on the update button downloads a malicious executable that installs TrickBot on victims’ computers, at which point the malware begins communicating with a command-and-control server to execute various modules capable of exfiltrating user machine details, installed program information, Windows services information, login credentials, browsing history, form autofill information, and more.
The second report warns that phishers are sending emails disguised as Office 365 admin alerts that purportedly address time-sensitive issues such expired licenses or an unauthorized access incident.
But clicking on the email’s links takes victims to a phishing landing page that asks users to enter their Microsoft login credentials. To make it look authentic, the cybercriminals use a windows.net domain on Azure, plus a certificate from Microsoft.
“As you can imagine, if an admin falls for this scam and enters their credentials in the page they will be stolen by the attackers. Unless that account has some sort of two-factor authentication enabled on it, the attacker would be able to gain access to the Office 365 admin portal,” wrote report author Lawrence Abrams, creator and owner of Bleeping Computer.