Office 365 phishing scam uses legitimate Oracle and AWS services

Hook on Keyboard
(Image credit: wk1003mike / Shutterstock)

A sophisticated phishing attack is underway that employs some high-profile legitimate services, including cloud solutions by Oracle and Amazon. The method puts a huge number of individuals at risk, whether they primarily use Windows 10, macOS, or mobile operating systems for work.

Security researchers at Mitiga initially discovered the scheme after one of its employees was targeted. The phishing scheme has been active for more than six months and works by using several legitimate websites as part of a proxy chain.

“This particular attack begins with the victim receiving a phishing email sent from a legitimate, but compromised, Office 365 email account,” the Mitiga security blog explains. “This email asks the targeted user to click a link for a voice mail message. Once the link was clicked, the user is redirected through several proxies, including AWS load balancers, all the way to a compromised website belonging to a genuine organization. Our team identified over 40 websites belonging to SMBs that were compromised by the associated threat actors.”

A sophisticated scam

Although the particular phishing campaign starts out like many others – with a fake or misleading email – it adds a layer of complexity by directing victims via a number of legitimate sites. Ultimately, the targeted individual is redirected to a fake Office 365 login page hosted on Oracle’s cloud infrastructure or on AWS S3 buckets.

Once a cyberattacker has acquired an individual’s Office 365 credentials, the victim is redirected to a legitimate but compromised website. The attacker, meanwhile, may use their ill-gotten credentials to gain further sensitive information about the individual or the organization that they work for.

By investigating the HTML code used to create the fake Office 365 page, Mitiga believes that the attack may be part of a phishing-as-a-service offering. Although it’s possible that the information used to come to that conclusion has been deliberately left to mislead security researchers.

Via Bleeping Computer

Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things. 

Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all