The next evolution in Office365 phishing campaigns
It comes as no surprise that Office365 is one of the most targeted services for phishing attacks worldwide. Credentials for enterprise Microsoft accounts are some of the most valuable for threat actors who can leverage them for a number of activities with this initial access vector. This ranges from stealing emails, business email compromise (BEC), to internal spear-phishing and malware attacks. The latest wave of Office365 credential harvesting attacks involve multiple steps. This includes the phishing email itself, a malicious URL, a legitimate document hosting service (such as *.clickfunnels[.]com or *.larksuite[.]com ), and the fake login page. These kits are also known as a "LogoKit" for being able to dynamically alter the page's appearance based on the domain in the target's email address. Demo of how this works: https://app.any.run/tasks/e59d36ba-5a2c-49e3-8b59-8044bf593689/ (Fig. 1 - Current phishing chain leveraged in this campaign from January to F...