Cybercriminals using Microsoft Azure (and other public cloud infrastructures) is not new. The twist here is how Azure is being used as part of a Facebook workplace phishing campaign aimed at collecting user credentials. Considering Workplace has very low adoption to date (less than 1% by some accounts), you must ask why the campaign is targeting Workplace users? While this campaign’s ultimate goal is Microsoft Office 365 credentials, it’s still a unique set of elements.
As usual, everything starts with a traditional phishing email. This campaign sends Workplace by Facebook notification emails, tempting the recipient with multiple links.
While the message has all the apparent legitimacy of a valid Workplace notification, clicking View More Posts redirects the user to a fake Office 365 login page hosted on Microsoft Azure. To increase the implied legitimacy, the unsubscribe link points to a valid Workplace page, albeit for an organization completely unrelated to this specific notification.
Geographically, both emails originated from IP addresses assigned to Private Layer INC in Switzerland. While certain geographies are stereotyped as generating much of the nefarious activity on the internet, this is another example of how any ISP can be compromised. It’s easy to generalize “we won’t accept email from country X” but, unfortunately, no country is truly safe.
Messages like these continue to reach user’s inboxes, prompting them to click with enticing (alarming) content. The question is no longer “why do these evade my email security gateway” but should be “how do I arm my users?” The inbox is the new email battleground and requires a new approach to security.