CyberSecurity news
FlagThis - #microsoft365
|
@www.microsoft.com - 15d
Multiple Russian threat actors have been identified targeting Microsoft 365 accounts using a device code authentication phishing technique. These attacks, observed since mid-January 2025, involve social engineering and spear-phishing campaigns, often disguised as communications from reputable organizations like the U.S. Department of State and the Ukrainian Ministry of Defence. Volexity has observed these campaigns targeting organizations to compromise Microsoft 365 accounts.
Microsoft Threat Intelligence Center has also discovered an active and successful device code phishing campaign by a threat actor tracked as Storm-2372, active since August 2024. The attacker creates lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. Targets include government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 aligns with Russian interests, victimology, and tradecraft. Recommended read:
References :
Bill Toulas@BleepingComputer - 71d
A new phishing-as-a-service platform named "FlowerStorm" is rapidly gaining traction, filling the void left by the recent shutdown of the Rockstar2FA cybercrime service. This platform is specifically designed to target Microsoft 365 accounts, allowing threat actors to easily create and deploy phishing campaigns. FlowerStorm's emergence indicates a rise in sophisticated, automated attacks aimed at Microsoft users.
These campaigns, some of which have recently targeted 20,000 users across the UK and Europe, often use tactics such as Docusign lures to attempt Azure account takeovers. The platform enables attackers to steal credentials and maintain persistent access to the cloud environment, potentially leading to data theft and extortion. This highlights the growing sophistication of cybercriminals and the ease with which they can launch complex phishing schemes. Recommended read:
References :
@ciso2ciso.com - 36d
Two ransomware groups, identified as STAC5143 and STAC5777, are actively targeting Microsoft Office 365 users by exploiting default settings and using their own Microsoft 365 tenants. These groups are leveraging the platform's features, like Teams, to initiate contact with internal users under the guise of tech support. This tactic is being used to gain access to victim systems. This concerning activity highlights a significant vulnerability in the default configuration of Microsoft 365 and the need for enhanced security measures.
Sophos researchers have detailed the tactics used by both groups. STAC5143 uses Teams’ remote control capabilities and deploys Java-based tools to exploit systems, extracting Python backdoors via SharePoint links. Meanwhile, STAC5777 uses Microsoft Quick Assist and manual configuration changes to install malware, steal credentials, and discover network resources. Both groups share techniques with other known threat actors, like Storm-1811 and FIN7. These attacks often start with spam email bombing, sometimes sending 3,000 emails in an hour, followed by Teams calls requesting screen control for malicious purposes, highlighting a multi-pronged social engineering approach. Recommended read:
References :
info@thehackernews.com (The Hacker News)@The Hacker News - 43d
A new sophisticated phishing kit, dubbed 'Sneaky 2FA,' is actively targeting Microsoft 365 accounts using an Adversary-in-the-Middle (AitM) technique. This kit, sold as phishing-as-a-service (PhaaS) by the cybercrime group 'Sneaky Log' through a Telegram bot, has been in operation since at least October 2024. The kit's primary method involves sending emails with fake payment receipts containing QR codes. These codes redirect victims to phishing pages that steal both login credentials and two-factor authentication codes, bypassing traditional security measures. The phishing pages are hosted on compromised websites, particularly WordPress sites, and have been observed to use blurred screenshots of legitimate Microsoft interfaces to trick users.
The Sneaky 2FA kit also employs several anti-analysis techniques to avoid detection. It filters traffic, uses Cloudflare Turnstile challenges, and performs checks to detect and resist analysis attempts using web browser developer tools. In an effort to not be detected, the kit redirects visitors from data centers, cloud providers, bots, proxies, or VPNs to a Wikipedia page. The kit's operators also use a central server to verify subscription licenses which are sold for $200 a month. Analysis of the kit's source code reveals overlaps with W3LL Panel OV6, another AitM phishing kit exposed in 2023, indicating a potentially larger and interconnected threat landscape targeting Microsoft 365 users. Recommended read:
References :
SC Staff@scmagazine.com - 44d
Hackers are exploiting the FastHTTP library, written in Go, to conduct rapid brute-force password attacks against Microsoft 365 accounts worldwide. These attacks are characterized by generating a high volume of HTTP requests aimed at Azure Active Directory endpoints. The technique leverages the high-performance nature of FastHTTP to accelerate credential-based attacks. SpearTip, an incident response firm, reported that this malicious activity began on January 6th, 2025. Analysis reveals a significant portion of the attack traffic originates from Brazil, with other countries like Turkey, Argentina, Uzbekistan, and Pakistan also involved.
These attacks primarily target the Azure Active Directory Graph API, utilizing the 'fasthttp' user agent. While most attempts failed due to authentication failures, locked accounts, and policy violations, a concerning 9.7% of attacks resulted in successful account takeovers. The attacks involved brute-force and multi-factor authentication fatigue attempts. Security experts recommend that administrators promptly assess potential compromises, manually verify user agents through the Azure portal, immediately expire user sessions, and reset account credentials upon detecting any suspicious activity. They also recommend a review of MFA devices linked to potentially compromised accounts. Recommended read:
References :
Mels Dees@Techzine Global - 40d
Microsoft has released updates to address critical issues affecting Windows Server systems. An out-of-band update, KB5052819, was issued for Windows Server 2022 to resolve a boot failure that occurred on systems utilizing two or more Non-Uniform Memory Access (NUMA) nodes. This issue primarily impacted enterprise environments where NUMA architecture is implemented to improve system performance. The update aims to restore proper boot functionality for those affected, and is available through the Microsoft Update Catalog.
Additionally, Microsoft has fixed a problem causing Microsoft 365 apps, including Classic Outlook, to crash on Windows Server 2016 and 2019 systems. The crashes, occurring within 15 seconds of startup, were caused by a recent Office update that integrated the React Native framework. The issue affected users on Version 2412 (Build 18324.20168). Microsoft has released an Office Suite update to correct this and is gradually rolling out the fix starting January 16th, 2025 (PST). Those who cannot apply the update immediately were given instructions to revert to Version 2411 (Build 18227.20162) as a temporary workaround. Recommended read:
References :
@ciso2ciso.com - 50d
References:
ciso2ciso.com
A new phishing campaign is targeting PayPal users by exploiting Microsoft 365 test domains. Scammers are registering free test domains and creating distribution lists, which they then use to send out legitimate-looking PayPal payment requests. This method allows the malicious emails to bypass traditional email security checks because they originate from a verified Microsoft source. The emails appear identical to genuine PayPal requests, making it difficult for email providers to detect and filter them.
When a recipient clicks on the provided link within the email, they are redirected to a PayPal login page, which is made to look like a legitimate payment request. If the user logs in, the scammer gains access to their account. This is because the login process links the victim's PayPal account to the distribution list address created by the attacker, not the actual recipient's address, effectively handing over control to the bad actor. Fortinet's CISO referred to this as "phish-free phishing" due to its effectiveness in bypassing security measures. To defend against this, users need to be trained to scrutinize unexpected payment requests and implement data loss prevention rules that can flag suspicious emails with multiple recipients from a distribution list. Recommended read:
References :
Mels Dees@Techzine Global - 40d
Microsoft has released an update, KB5052819, to resolve a boot issue affecting Windows Server 2022 systems. The problem occurred specifically on systems using two or more Non-Uniform Memory Access (NUMA) nodes, a memory architecture commonly found in enterprise environments that use multi-core processors. This issue prevented these servers from starting correctly, disrupting operations and impacting usability. The update addresses the bug that was causing the servers to fail to boot properly and is available for download from the Microsoft Update Catalog.
In addition to the boot problem, Microsoft has also acknowledged issues with the SgrmBroker service after the January 2025 updates to both Windows 10 and Server 2022. This service, which is part of System Guard and monitors the integrity of the system, was failing to start. An out-of-band update has also been released to fix this issue, which was identified by administrators and users after the installation of the January 2025 security updates. The SgrmBroker service problem was also impacting systems running under Hyper-V. Recommended read:
References :
|