There has been a recent phishing scam that is out there that is geared to compromise Administrators. Usually when we think of phishing scams, we think it is to get employees to enter or divulge information that sets the system to be infiltrated by scammers. The recent Microsoft 365 phishing scam targets at the administrator level. Phishers targeting admins are becoming more popular due to the greater range of attacks that can be conducted through an admin account. With admin credentials, attackers can potentially create new accounts under an organization’s domain, send mail as other users, and read others user’s email.
How does the Office 365 phishing scam work? To gain access to an administrator’s account, phishers have started creating campaigns that are disguised as Office 365 admin alerts. These alerts will typically be about a time-sensitive issues that requires an admins immediate attention such as an issue with the mail service or unauthorized access being discovered.
An example of a fake alert found by BleepingComputer is one that states an organization’s Office 365 licenses have expired. The mail then proceeds to tell the user to login to the Office 365 Admin Center in order to check their payment information.
How to avoid this type of phishing scams: Most Administrators are wise to any Phishing scams and usually the Administrators that are well aware won’t fall for this scam so easily. If the administrator is a novice or if there is an unqualified administrator the chances of the phishing scam working are increased. Some Businesses have an administrator who knows a little bit about computers taking care of their IT and that can be a dangerous scenario for the business. Her are some ways to avoid Office 365 phishing scams according to Help Net Security;
- Enable multi factor authentication on all accounts.
- Disable the IMAP protocol on all mailboxes in your environment.
- Provide administrators two different Office365 accounts, one for daily use associated with their user account that does NOT have administrator privileges and one specifically for performing administrator functions.
- Do not have a mailbox associated with any administrator accounts.
- Be aware that the actual Office365 portal domain is microsoftonline.com not windows.net.
Contact us at Customized Computer Services, Inc. (CCSI). CCSI has been serving the Dallas-Fort Worth area for 30 years. We specialize in helping our clients deal with possible phishing scams and other IT issues that may come their way.