The new sophisticated phishing scheme was implemented by threat actors for stealing Office 365 credentials, it leverages both cloud services from Oracle and Amazon for their infrastructure.

Threat actors used to compromise legitimate websites and used them as a proxy chain, This campaign also outstands for the abuse of legitimate services and websites for data exfiltration.

The phishing messages are fake notifications for voice messages and Zoom invitations that are created to trick victims into clicking an embedded link that finally lead the victim to the phishing page that was designed to steal login credentials.

Office 365 phishing

The threat actors used compromised accounts to send out phishing messages and used Amazon Web Services (AWS) and Oracle Cloud in the redirect chain.

“Once the link was clicked, the user is redirected through several proxies, including AWS load balancers, all the way to a legitimate but compromised website”

Before the victims land the final landing page, the user is redirected through several proxies, including AWS load balancers.

Most of the fake Office 365 login pages were hosted on Oracle Cloud computing service, but experts also observed the use of Amazon Simple Storage Service (Amazon S3).

The analysis of the HTML code for the fake Office 365 pages suggests that attackers opted for a phishing-as-a-service.

Based on the email addresses employed in this campaign,mainly aimed at C-level executives at small and medium-sized businesses as well as major financial institutions.