518-373-4111
Our HCM partner, isolved, recently published a case study involving a phishing attack using Microsoft domain names. Employers and employees should be aware of using Microsoft domains in these cyber threats and follow the advice below to prevent an attack on your company’s data.
This month, isolved’s Cybersecurity team is highlighting the uptick in the malicious use of Microsoft domains. These phishing attacks are difficult to detect because they appear to come from Microsoft. We will discuss a real case that appeared at isolved and intelligence from our Managed Security Service Provider (MSSP) involving “attacker-in-the-middle” techniques to capture credentials.
Real Case: Your Microsoft Order On…
On a steamy September morning, Fred (name disguised) contacted a member of isolved’s cybersecurity team to report an unusual Microsoft email. He did not order any Microsoft products and questioned receiving such a notification.
The email appears to be from the legitimate microsoft.com email ([email protected]). This is just the displayed address or the “header” address. The actual “envelope” address was from vt@dur*****shop.onmicrosoft.com (disguised bad actor’s address). Anyone, including hackers, can use these onmicrosoft.com emails. They often make it through email security systems because they are legitimate Microsoft email addresses.
Fred also noticed a few important points in the body of the phishing email:
- He never ordered Global Microsoft 365 Business Premium and immediately suspected the email to be fake.
- Fred’s eye went to the lowercase “ca,” he knew a true professional Microsoft email would capitalize the state abbreviation in an address.
- The address was not a physical isolved address at all.
- There was no PO #. The random string of numbers for the order ID looked bizarre.
Microsoft PowerApps Portal Domain Used for AiTM (Attacker-in-the-Middle) Attacks
isolved’s Managed Security Service Provider highlighted the use of powerappsportals[.]com in “attacker-in-the-middle” attacks to deal users’ MFA codes.
How does the attacker succeed?
- The hacker sends the user a phishing email with an attachment.
- This attachment contains the URL (powerappsportal) that leads the victim to the fake Microsoft login.
- Certificate avoids detection because it is confirmed as legitimate.
- Victim enters username and password.
- Hacker intercepts MFA.
- The hacker now has all credentials harvested.
Recommended Actions
- Never click on any links or attachments without complete verification. This means calling to verify. Do not call the number on the email; search the internet and verify actual numbers.
- Never enter a password or credit card on a page you received from a link in a message. This is most likely a phishing attempt.
- Always review the body of the email for any irregularities and grammatical errors.
- Report all suspected phishing emails by clicking the Mimecast button at the top of your Office 365 email. Toggle down to Report Phishing if you suspect a phishing email. This will help Mimecast’s artificial intelligence component to become smarter.
If you have any questions, please contact your company’s IT department.
Trust Your Data with GTM’s Security Measures
At GTM, we understand that trust is the foundation of our relationship with you. When it comes to payroll, security, and compliance, these are not just priorities but imperatives. We are dedicated to maintaining the highest levels of data security, fraud prevention, and regulatory compliance to protect the sensitive information you entrust to us. Every GTM employee undergoes regular testing to ensure that we can identify phishing emails and other issues. In addition, GTM Payroll is compliant with the New York State Department of Financial Services cyber security regulation (23 NYCRR 500). We also use two-factor authentication to allow access to our systems, adding an additional layer of security to the process, making it more difficult for hackers to access a client or staff member’s devices or online accounts.
