Researchers at GreatHorn have identified what they are calling a widespread attack in which attackers spoofed both the Microsoft brand in the display name and the Barracuda Networks brand in the return path and received headers, with the goal of stealing credentials.
The team identified an attack notable in that the return path spoofs a noreply.barracudanetworks.com return path. “The attackers crafted the received headers so that it appears to have gone through multiple “Barracuda” hops prior to sending the email via a server designed to look like a Barracuda server. Microsoft has then automatically appended legitimate received header details to the spoofed headers, making it appear that much more legitimate,” researchers wrote.
According to today’s blog post, attackers leveraged a known security flaw in Microsoft’s handling of authentication frameworks. Rather than dictating how it wants domain-based message authentication, reporting, and conformance (DMARC) failures and exceptions to be handled, “Microsoft Office 365 typically ignores those directives and, at best, treats them as spam or junk instead of quarantining or rejecting them, making it more likely for the user to interact with such spoofs.”
That a major tech company has not embraced DMARC is in line with the findings of a recent report, Tech Companies Make Progress in Anti-Phishing Protection, published by ValiMail. The report found that 90% of large tech companies are vulnerable to spoofing, yet only 49% of global technology companies are already enforcing DMARC anti-phishing technology.
“This is a good example of how attackers are adapting to user awareness and preventative technology,” said Terence Jackson, chief information security officer at Thycotic. “User education and email protection technology is needed, but we have to make sure that user training is continuous and the technology we put into place is not static but dynamic and utilizes a degree of machine learning to analyze these types of new attacks.
“Attackers are going to great lengths to obtain user credentials to access sensitive data. Hopefully GreatHorn’s customers had multifactor authentication enabled, which should have limited the scope of this attack. But as we’ve seen before, users tend to reuse passwords on multiple sites, which again highlights the need for the use of password managers and better personal cyber hygiene.”