Jump to content

Microsoft Users Hit with Phishing Kits Hosted on Thousands of Domains


Recommended Posts

Microsoft's users were the most targeted by phishing campaigns among the top targeted brands with attackers using thousands of domains specifically registered to be used for harvesting credentials from their targets.




6,035 domains were used to host 120 phishing kit variants according to Akamai’s 2019 State of the Internet / Security Report, with users and employees of high tech companies being the ones most attacked.


"Following that, financial services, with 3,658 domains and 83 kit variants, was the second most-targeted industry," Akamai says. "E-Commerce (1,979 domains, 19 kit variants) and media (650 domains, 19 kit variants) rounded out the list. In all, more than 60 global brands were targeted during the reporting period."


Overall, Microsoft, PayPal, DHL, Dropbox, DocuSign, and LinkedIn were the top targets for phishers throughout this year in the attacks Akamai's researchers detected.




Over 20% of phishing domains target Microsoft users

During an observation window of 262 days, roughly 22% of the total number of domains (3,897 domains and 62 kit variants) were utilized in Microsoft-focused campaigns, while PayPal took up 9.37% (14 kit variants), DHL 8.79% (7 kit variants), and Dropbox being the focus of 2.59% (11 kit variants) of total domains.


"LinkedIn (6 kit variants) and DocuSign (4 kit variants) were also observed across more than 300 domains each," Akamai also found.


While monitoring phishing campaigns, Akamai discovered that approximately 60% of all phishing kits they observed were active for up to 20 days during the reporting period, a trend that has become the norm among phishing attacks during 2019.


"Phishing is a long-term problem that we expect will have adversaries continuously going after consumers and businesses alike until personalized awareness training programs and layered defense techniques are put in place," said Martin McKeay, Editorial Director of the State of the Internet/Security report for Akamai.


All in all, over 2,064,053,300 unique domains related to malicious activity were observed by Akamai's research team over a span of two months, with about 89% of them having a lifespan of fewer than 24 hours, while 94% were active for less than three days.




96.64% of the 1,831,417,850 malicious .com domains spotted by the researchers were active 3 days or less mainly because of their use for botnet traffic 


Furthermore, out of all phishing attacks detected in 2019, 74% were credential phishing campaigns according to the Cofense Annual Phishing Report 2019 published today.


"During the first half of 2019, three out of four phish we saw in customers’ environments were credential phish," says Cofense. "With stolen user names and passwords, a threat actor has access to a corporate network and can pass for a legitimate user."

Blocking phishing campaigns a continuous effort

Microsoft's Defender ATP Research team spotted a large scale spear-phishing campaign targeting roughly 100 organizations during early July using malspam emails distributing LokiBot information stealer payloads.


As Microsoft said at the time, "the behavior-based machine learning models built into Microsoft Defender ATP caught attacker techniques at two points in the attack chain."


The company is currently rolling out an enhanced notification system for phishing messages for admins in all Microsoft 365 environments and a new 'Unverified Sender' feature to make it simpler for users to detect potential spam or phishing emails delivered to their Outlook clients' inboxes.


Redmond also increased DKIM key sizes to 2048-bit from 1024-bit for all customers to further enhance the security of all Office 365 environments.


"If you already have your default or custom domain DKIM enabled in Office 365, it will automatically be upgraded from 1024-bit to 2048-bit at your next DKIM configuration rotation date," Microsoft stated.


In June, Microsoft Office 365 admins and users were also urged by the company not to bypass the built-in spam filters as part of a support document that also provides guidelines for cases when this can't be avoided.


  • Like 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...