Credential Swiping Attacks Target 45% Of Office 365 Users
By: Jim Stickley and Tina Davis
May 19, 2022
As corporate hacks become daily events, most users don’t realize that as a result, bits and pieces of their identities are available on the dark web. Their PII (personally identifiable information) is listed for sale or for free to hackers, and they’re the only ones who know what they’ll do with that information. A study by Cofense found 45% of credential swiping targets use Outlook, Teams, and Office 365 as email phishing lures. With approximately 115 million Microsoft Teams users, cybercriminals know Office 365 is a very ripe target.
Credential swiping uses those bits of PII like the email addresses and passwords leaked onto the dark web from prior hacks. The PII is stuffed into other accounts a user has, hoping for a match from reused passwords and usernames. Success with credential swiping can lead to further and more insidious attacks.
After analyzing millions of emails from different attacks, Cofense found 57% were phishing emails. Those malicious emails hoped to steal usernames and passwords and use them for credential swiping on other accounts. The remaining 43% were used for business email compromise (BEC) and malware assaults, both potentially devastating to enterprise of all types.
The best advice against these credential swiping attacks is knowing how to avoid them in the first place. If you’re using Microsoft Teams for work or personal use, in particular Office 365, approach every email about these services with a hefty dose of skepticism. Hackers send phishing emails requiring you to confirm your account credentials, send bogus emails from co-workers asking you to open attachments or follow links, and use fake Office 365 messages and overlay pages designed to steal more than login information. Listed below are common sense tips everyone should be aware of in the war against email phishing and credential swiping campaigns. Know that an overall common-sense approach goes a long way thwarting these attempts.
Email Phishing Red Flags Flying
- Verify the email sender is legitimate. Hackers can pose as your bank, a co-worker, or even a friend or family member. Hover your mouse over the sender’s name and it will show the true email sender.
- Be wary of urgent messages. Hackers hope a target will abandon any email safety measures and immediately respond to an urgent request. But resist. There is always time to verify first.
- Beware of typos and bad grammar. Bad actors are good at being sneaky, but good grammar and spelling are not job requirements.
- Don’t follow links or open email attachments, especially from unknown or untrusted senders. If necessary, call the sender to verify the email is legitimate.
- If it sounds too good to be true, it probably is. Any email saying you’ve won a contest, gift card, or packages are waiting to be delivered but you need to verify your address and account information, are likely fraudulent (especially if you didn’t enter a contest or are not expecting a delivery).