The Microsoft-based email systems of several Washington-based nonprofits and at least one tribal nation were breached today in what appears to the Northwest Progressive Institute team to be a well-executed, alarming mass phishing campaign targeting institutions that serve the people of the Pacific Northwest.
Beginning early this morning, NPI staff began receiving a series of oddly-worded emails containing suspicious-looking images with the header “You have an eFax message” with a “fax summary” table and a button saying “Preview PDF Here.”
Emails contained subject lines such as “Approved Statement from [Organization Name]” and “New Statement from [Organization Name]”. They also contained what our team believes are the typical, preconfigured, normal signature blocks belonging to each of the individuals working within the breached organizations, containing names, phone numbers, and in one case, a confidentiality warning.
Because the emails were sent using the accounts of legitimate users in legitimate organizations, they passed through NPI’s robust spam filtering defenses and were delivered to NPI staff inboxes rather than being intercepted or marked as Junk.
The images in the emails were hyperlinked to Dropbox Paper URLs.
I followed the links in a sandboxed, totally brand new Windows virtual machine to see what the phishers were up to. The Dropbox Paper URLs went to what is effectively a gateway page for the bad guys. This gateway page contained several headings, which read: “Check below for the vital document shared” and “Open Full PDF Here Or Download” along with a fake disclaimer: “This document has been scanned for viruses by Norton Antivirus Security.” Here’s a screenshot:
Clicking on the link opened another URL which Microsoft Edge proclaimed to be unsafe. I was glad to see that — the big red scare screen should save a lot of people from the clutches of these villains.
Since I had the luxury of being able to probe things from a sandboxed virtual machine, I bypassed the warning in the hopes of seeing more.
That yielded a web page at windows.net (meaning, hosted by a Microsoft Azure instance… how devilish!) dressed up to look like a Microsoft OneDrive modal screen, saying “Verify your identity” and “You’ve received a secure file.” (Uh huh.) The only field on the page was a single text box reading “Enter email.”
I entered a fake email address and clicked “Next.” I was then promoted for a password. It is evident that the phishers’ objective is to steal users’ credentials so that they can perpetrate more breaches. A vicious cycle, to be sure!
NPI has reported this evil Azure instance to Microsoft to get it shut down. Microsoft’s Azure Safeguards Team has opened a case and is investigating.
According to email headers, each of the malicious messages that NPI received today was sent through Microsoft’s hosted email service Outlook.com, which suggests that whoever is responsible for these breaches and phishing campaigns chose to target local organizations that are Microsoft 365 customers.
Without knowing more about the security posture of the affected organizations and their employees, it is difficult to draw conclusions about why these simultaneous or near simultaneous breaches occurred. We can only theorize.
One possibility is that some or all of the breached accounts that the phishers used to send emails to NPI staff today were protected by reused passwords that had been exposed in previous data breaches, allowing the malicious actors to log in on the first attempt and begin their evil phishing campaigns.
Another possibility is that some or all of the breached accounts’ credentials were stolen through a previous wave of phishing attacks perpetrated by these villains.
It is deeply concerning that multiple local organizations were breached in one day. Our team can’t recall seeing anything quite like this in our nearly twenty year history. It’s very possible that the extent of the breaches goes beyond the organizations that we know about based on the emails that we received today.
NPI has been reaching out to the affected organizations to ensure they are aware they were beached and offer whatever support we can.
We will also be following up with the Nonprofit Association of Washington and the Office of the Secretary of State to share information and assist Microsoft in investigating and probing these disturbing attacks further.
If you run or are involved with a nonprofit or small business or similar entity, we recommend doing the following to strengthen your security posture:
- Have all personnel, or an IT administrator for your organization, check users’ sent messages folder to see if there is anything suspicious there.
- Deploy a trustworthy password manager across your entire organization if you have not already. Create an account for each employee or team member that you have within that manager. NPI recommends the firms 1Password, Bitwarden, and Dashlane, in that order.
- Require all personnel to change their Microsoft 365 and Google and other passwords to something generated by the manager, to ensure that every account corresponding to a user is protected by a strong password.
- Require two-factor authentication to be enabled on all accounts and direct personnel to set up either an authenticator app or hardware security key as their second factor — avoid SMS! For shared accounts, like Twitter or Instagram, set up the second factor as the password manager’s one time code generator within the entry for the requisite set of credentials.
It’s also not a bad idea to remind people to carefully scrutinize links and images in incoming mail before opening them. A single wrong click or tap can sometimes be disastrous, and in any organization, you’re only as strong as your weakest link.
Stay safe out there and be sure to get help if you detect any malicious activity!