Phishing and O365
Sorry to all eager fishers out there. I don’t know too much about fishing fish, yet phishing information is a more familiar subject to me. Since, as you might know, taking care of cyber security is one the cornerstones of software and cloud projects. During the past months media has been buzzing about the latest cyber attacks against several Finnish companies. These attacks have mainly been targeting Office 365 users, and this seems to be a growing trend. The Finnish National Bureau of Investigation is currently investigating 50 attack cases but that is most likely just the tip of the iceberg.
The procedure of these attacks is old and well known. The attacker sends an email that invites the user to visit a website which requires logging in to O365. The user is then directed to a real-like, but fake login page, that collects the user’s login information for the attacker.
Why does the problem exist?
A significant number of O365 users and re-sellers are not necessarily technology-oriented, but rather sales professionals and users without admin access. Therefore, the majority of the companies using O365 have not configured ‘Company branding’ feature on their login page. But why should everyone do this? Company branding in this case is essentially about editing the login page to match your company’s brand by changing up elements such as the background image, icons and welcome text. Practically all phishing websites have been built to look like Microsoft’s default login page, and therefore noticing the difference between these phishing websites and the real deal is a lot easier with a customized login page. Of course a phishing website can also be detected by examining the page’s address/URL, https certificates and the lock symbol in the address bar. As an example, a Russian phishing site would most likely have an address such as http://xxx.ru/login and definitely not the real https://login.microsoftonline.com/.
Important steps to take
Custom Branding is achieved by logging in to https://portal.azure.com/ and choosing ‘Azure Active Directory’. After this you will find ‘Company Branding’ in the left sidebar. From there you click the plus icon, which then allows you to add your company’s own images and elements onto the login page. After customizing the login page, it is just as important to inform the personnel about the change and the reasons behind it, as well as how to detect a fake login page.
As a closing thought, phishing will end when the fish won’t catch the bait anymore. More information on company branding can be found here.
Read more about the recent phishing cases in Finnish (Helsingin Sanomat, 21.3.2019): “Keskusrikospoliisi: Suomalaisyrityksiin tehty kymmeniä tietomurtoja”.