73% of phishing sites impersonate Microsoft product-related login pages

William S. | December 8, 2021

Cybercriminals always target software or websites which many people use. By exploiting found vulnerabilities or using people’s unawareness of good cybersecurity practices, threat actors launch different cyberattacks, which would affect a large audience and bring the most benefits.

According to the data presented by the Atlas VPN team, 73% of phishing sites impersonate Microsoft product-related pages. Furthermore, 50% of compromised accounts get accessed by hackers in 12 hours, and in a week, 9 out of 10 accounts are fully taken over by threat actors.

The data is based on the Agari Anatomy of a Compromised Account report about how BEC actors use credential phishing and exploit breached accounts. In the six months between October 2020 and March 2021, Agari seeded credentials into more than 8,000 unique phishing sites.

Cybercriminals impersonated Microsoft account login pages in 60% of phishing sites. As Microsoft products are used widely globally, threat actors find them the best targets to look for vulnerabilities. Hackers could use a compromised account to launch more phishing or other social engineering cyberattacks.

Threat actors imitated Adobe Document Cloud login pages in 26% of phishing websites. By having access to the cloud, cybercriminals could inject malicious files into documents such as malware or ransomware. Besides, if the hacked cloud account has sensitive company-related or personal information, hackers could use it for blackmail or sell the data on the dark web.

Cybercriminals used fake Microsoft SharePoint login pages in 8% of their phishing sites. Once in control of the account, the attacker uploads a malicious file and then changes the file’s sharing permission to ‘public,’ allowing anybody to spread the link further. The attacker sends the link to the user’s contacts or other targeted accounts through social media or email.

Microsoft Office 365 and OneDrive login pages were both impersonated by cybercriminals in 3% and 2% of phishing sites, respectively.

Gone in a week

After gaining credentials, cybercriminals do not wait long to take action and get what they want. While some use automated tools to test credentials, other attackers manually authenticate the validity of your login information.

Threat actors accessed 23% of all accounts immediately after the compromise. Attackers likely took over the accounts with an automated script to validate the legitimacy of the credentials. After an hour, the breach had happened, cybercriminals manually took over 18% of the accounts.

After 6 hours passed, 2 out of 5 (40%) accounts were manually accessed by hackers. In 12 hours, half of the accounts (50%) were taken over by cybercriminals. A significant amount of accounts being hacked in 12 hours mean that most companies would not even notice the compromise before threat actors already have their information.

After a day, 64% of accounts were taken over manually by cybercriminals. Finally, nearly all of the accounts, 91%, had been accessed within a week after compromise. A single week is all it took for attackers to access most of the accounts, which in reality could lead to tremendous monetary losses to a company or a person.

One of the most common issues in email security is business email compromise (BEC). With access to Microsoft accounts, cybercriminals can deliver emails, host malicious pages, or create malicious documents, which allows them to spread their attack more efficiently. Multi-factor authentication on work-related accounts should be mandatory to mitigate the risk.

William S.

William S.

Cybersecurity Researcher and Publisher at Atlas VPN. Focused on revealing the latest cybersecurity trends around the world.

Tags:

Microsoft

© 2022 Atlas VPN. All rights reserved.