Skip to main content

This Microsoft 365 spear-phishing campaign has been running riot for over a year

Hook on Keyboard
(Image credit: wk1003mike / Shutterstock )

Cybersecurity researchers at Microsoft have shared extensive details about a long-running highly evasive spear-phishing campaign that has targeted Office 365 customers since at least July 2020.

In a blog post, the Microsoft 365 Defender Threat Intelligence Team shares that the campaign began with the objective of harvesting usernames, and passwords, but has since moved on to collate other information such as IP addresses and the location of its victims, which the attackers supposedly use in later infiltration attempts.

“This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving,” the researchers note.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

Since the campaign includes various details about the targets, such as their email address and company logo to appear genuine, Microsoft believes the attackers had garnered these details during an earlier reconnaissance exercise.

Constantly evolving threat

The security researchers note that this campaign is also a prime example of how email-based attacks continue to make novel attempts to bypass email security solutions.

For instance, to keep the security teams on their toes, the attackers changed obfuscation and encryption mechanisms every 37 days on average.

This campaign uses multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript, as well as multilayer obfuscation in HTML to evade browser security solutions.

“These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments,” share the researchers, noting that some of the code segments of the campaign reside in various open directories and are called by encoded scripts.

Comparing it to a jigsaw puzzle, the researchers noted that the pieces of the campaign appear harmless individually, and only reveal their sinister intent once they are combined.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.