Security researchers observed phishers leveraging a fake VPN configuration notification to target employees' Office 365 credentials. Abnormal Security found that the campaign attempted to capitalize on the trend of organizations implementing VPNs for the purpose of securing their remote employees during COVID-19. As quoted by the security platform:
The attack impersonates a notification email from the IT support at the recipients’ company. The sender email address is spoofed to impersonate the domain of the targets’ respective organizations. The link provided in the email allegedly directs to a new VPN configuration for home access.
A sample attack email observed in this campaign (Source: Abnormal Security) But the link didn't redirect recipients to a new VPN configuration. Instead, it sent them to a phishing landing page hosted on a Microsoft .NET platform. By hosting their resource on a Microsoft-owned platform, the phishers gave their phishing page a sense of legitimacy in the form of a valid Microsoft certificate. This resource complemented the website's design, which appeared identical to the actual Office 365 login page. Those responsible for this fake VPN configuration campaign leveraged the above-mentioned tactics together in the hope that users would feel safe enough to submit their Office 365 credentials. Whenever someone complied and attempted to authenticate themselves, the campaign sent their details over to the attackers. The malicious actors could have then abused those details to access their victims' work accounts in order to steal sensitive data and/or conduct secondary attacks within a targeted organization. This phishing campaign highlights the intent of malicious actors to continue preying upon organizations while they adjust to the security challenges of COVID-19. Acknowledging such determination, organizations should make an effort to defend themselves against an email-based attack. One of the best ways they can do that is by familiarizing their employees with some of the most common types of phishing campaigns in circulation today. This resource provides an excellent starting point.