1

The past couple of weeks, ever since schools shut down, I have been seeing quite a few phishing e-mails coming from compromised Office365 accounts for various *.edu domains. Stanford, Poly, Ball Sate, and a few others.

They all have these in common:

  • from an outlook.com server

  • have a hyperlink to “something”

  • have text in the body along the lines of “sorry for not sending to you sooner”

My e-mail users are pretty good at Phish Alerting these e-mails, which is a relief, but much of the phishing e-mails I am alerted to over the past few months have been from compromised Office365 accounts as well.

Makes me wonder about the security of Office365, or is this just a case of bad choices by Office365 account holders? Thoughts?

15 Spice ups
2

Full disclosure, not listed in my OP. I use on-prem, so cannot comment with authority on security related issues for Office365 accounts. I do have users, though. :slight_smile:

3

Working at a college that uses Office 365 I have not seen any particular issues with Microsoft’s security. I have seen a LOT of users that will click on anything sent to them and fill in their account information, or even simply reply back with the information. There is a huge difference between intelligence and wisdom. Just because someone holds a PhD doesn’t mean they won’t fall for the most obvious of phishing scams.

2 Spice ups
4

Pretty good security options for O365, though of course that depends on the level of licensing you have and if whoever is administrating it is has set up all those options.

I’m guessing it’s probably mostly a result of users compromising their accounts in tenants that aren’t setup to make that much more difficult.

5

I assumed this was mostly user error, resulting in compromised accounts. Microsoft does have it’s share of security issues in products they create, but I never assumed them to be careless. That being said, I can honestly say, I am getting more phishing e-mails from Office365 accounts than Gmail accounts so far this year. And that is saying something! Perhaps that is more an indication of the success of Office365 taking over everyone’s e-mail management. Me, I still like managing my own server, but perhaps I am just crazy that way. :slight_smile:

If any other’s of you out there are seeing similar trends, please share your observations. That is, after all, what these forums are all about.

6

I have seen a few of these as well. Its weird when they start coming from .edu and .gov emails.

Most of them that say something along the lines of. “Important COVID-19 update! Click Here to read!” No shame at all with these people.

7

If I get compromised emails from a .edu I always do the decent thing and forward a copy of the header to the IT team at the .edu - they’re easy enough to contact.

1 Spice up
8

My vote is on poor end user decisions. Some users will literally click on every link until you instill the fear of a Chuck Norris roundhouse kick to them. Joking aside, it’s a training issue.

9

Can’t spice this enough. Years ago, I started a new job as NetAdmin at a not for profit (.org) that had a poorly configured GroupWise server. In my first couple of weeks on the job I received many emails warning of compromise. It helped us lock things down while we worked on the new Exchange environment. I try to do the same for others whenever possible.

10

I typically notify our customers and vendors when we get an e-mail like this. If it’s a potential customer, I might do this also. For most, if it’s just a one-off, I tend to ignore it, other than making sure that the recipient deleted or phish alerted the e-mail. If it’s a large group, or multiple sends, I will definitely try to reach out to that organizations IT Department and let them know. Part lazy, part other things going on, I suppose…

11

Yikes! Thanks for looking out - the bad guys like to do multiple attempts from a similar account name to ensure eventually someone will fall for their scam.

Just curious, is your team using a phish alert tool? If not, may I suggest the free Phish Alert Button . :slight_smile:

12

Funny you should ask, @melissa-knowbe4 ​. We are indeed a customer, and have the Phish Alert plug-in deployed. The button does not work for us as we have on-prem Exchange 2016. My understanding is that the button worked for 2010 (maybe 2013), but no 2016 and up, unless you have Office265. Or perhaps that was an Office version compatibility thing.

13

Hello!

These resources should be able to help you out: Phish Alert | KnowBe4
PAB does work on 2016 version, you just can’t use the Office 365 version:

Hope this helps!

14

I haven’t seen any coming from .edu addresses yet.

15

The campaign seems to have died down…for now. Lately, it has been compromised customer/vendor accounts I have been dealing with. Some Office365, some Gmail, and some spoofers out of Asia (mostly China) and Africa. Oh, the joys of e-mail security!