Admins working with Microsoft Azure beware: phishers are updating their assets to reflect changes on the company’s cloud-based login screen.
Microsoft announced the innocuous change to its Azure AD login screen on 26 February, rolling it out in the first week of April. The previous screen featured a login box against a full-frame photograph in the background. In the new version, Microsoft replaced the photograph with plain colours, reducing its sise by 99%. That’ll save network bandwidth and reduce page loading times, said executives at the time. Even though users may cache static page assets locally, they’ll still reload them eventually, and every little helps.
Online ne’er-do-wells work quickly, though, and it didn’t take long for phishing scammers to catch on. The company said in a tweet that it had seen multiple sites using the new background in a bid to lure Azure AD users into giving up their account info:
Office 365 ATP data shows that attackers have started to spoof the new Azure AD sign-in page in multiple phishing campaigns. We have so far seen several dozens of phishing sites used in these campaigns. pic.twitter.com/R8axe6Tgok
— Microsoft Security Intelligence (@MsftSecIntel) May 14, 2020
Azure AD is the cloud-based version of the on-premises Active Directory system that holds user authentication and access privilege data. The cloud version is the single sign-on gateway to a range of online applications, including Microsoft’s own cloud services, along with third party apps. As such, it’s the holy grail for phishing scammers who could gain access to lots of enterprise accounts in the cloud if they mount a convincing attack.
In one case, a scammer sent an email informing people that a fake OneDrive document was waiting for them. Clicking the link took them to the new sign-in page, Microsoft’s security intelligence team said.
One phishing campaign used emails with the subject line “Business Document Received”. The emails carry a PDF attachment that poses as a OneDrive document requiring the user to sign in. The link points to a phishing site that spoofs the new sign-in page. pic.twitter.com/sc0a4MeZgb
— Microsoft Security Intelligence (@MsftSecIntel) May 14, 2020
Microsoft’s cloud service isn’t just a popular trophy for phishers. They sometimes use it to host phishing material because Microsoft-owned domains are typically deemed trustworthy. One person explained the problem in a tweeted reply, and it looks like Microsoft was listening:
Saw this yesterday. Actor using the wellstoreco phishing kit. However, they are using this valid OneDrive pdf hosted on your platform that is still up! hxxps[://]onedrive[.]live[.]com/?authkey=%21AJTIJta4Ar7HeZY&cid=E84C0BFD1FC7BCAF&id=E84C0BFD1FC7BCAF%21136&parId=root&o=OneUp
— Aaron Rosenmund (@ARosenmund) May 15, 2020
User education is one way to prevent phishing attacks, but a layered defence strategy reduces the likelihood of an employee falling victim to an attack. One extra measure you can take is to customise the branding on your tenant-specific Azure AD login screen, although a determined and targeted attacker could simply copy your design. Another protective mechanism is the use of multi-factor authentication (MFA) so that users can’t get in with a password alone.
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.
