During the last couple of days, Northwave researched a phishing campaign that is affecting multiple Dutch organisations. The malicious actors try to steal credentials to Office 365 environments.
The victim receives a message from a known person (who has the victim in their address book), with the request to open a link to a PDF file for reviewing. The subject of this email looks like “REVIEW – ” or “AANHANGSEL – “. If the victim opens the link, he/she is led to a PDF file that contains another link, to the document the victim is supposed to review. If the victim follows this link, he/she is asked to log in to a fake Office 365 environment.
If the victim fills in his or her credentials, the malicious actor will use them to log in to the Office 365 environment. Then the victim’s emailbox will be used to send a new phishing mail to his/her contacts.
The ultimate goal of this campaign is not yet clear. For now it seems that the actor is mainly hunting for more credentials. It is possible that the actors are looking to steal confidential information, and they might be looking for an “interesting” account.
- Be on the lookout for messages with subjects like “REVIEW – “, “AANHANGSEL – ” or similar emails that ask a user to click a link to a filesharing site not used by your organisation.
- Throw away the email message.
- Use Multi Factor Authentication on your (Office 365) environment.
Do you have an incident right now? Call our CERT number: 0800-2255 2747
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.