Microsoft data entry attack takes spoofing to the next level

December 18, 2019 by Tyler Schultz

Data entry attacks remain one of the most effective ways for hackers to steal credentials and sensitive information. By using a phishing email to redirect victims to a spoofed login page, hackers can harvest sensitive information or credentials entered by the victim to gain access to other systems or networks. After the victim enters information on a spoofed page, attackers can even redirect them to the legitimate website to avoid alerting the victim of the scam and buy more time to steal data or execute an attack.

While these attacks remain a legitimate concern for many organizations, a new, dynamic data entry attack uncovered by Microsoft’s Office 365 Threat Research Team brings an even greater challenge to employees and security teams alike.

What is a dynamic data entry attack?

In traditional data entry attacks, hackers copy elements from legitimate websites to create spoofed pages that replicate the same look, feel and experience as the real page. While this is extremely deceiving in most cases, many organizations implement custom, branded login pages for third-party services such as their email client, file-sharing service or CRM. In this case, employees who are used to seeing a branded login page are less likely to fall for a generic spoofed page missing their organization’s logo and other custom page elements.

Dynamic data entry attacks take login page spoofing to the next level by reading the victim’s email address, identifying their organization and dynamically adjusting the spoofed login page to serve the custom elements used by the organization on their legitimate, custom login page.

How does this attack work?

In Microsoft’s example, attackers used a phishing URL to send victims to an attacker-controlled server which captured the company-specific information from the victim’s email address. Next, the server requested the organization-specific login page elements from Microsoft’s rendering site, including the organization’s logo, custom login page text and background image. The spoofed login page then dynamically displayed these custom elements, providing a near-identical login experience the victims were accustomed to seeing on the legitimate site.

miscrosoft threat research - data entry attack diagram

Image courtesy of Office 365 Threat Research Team

Not only did this technique allow attackers to build more believable spoofed login pages, but it also allowed them to scale their attack to employees in multiple organizations without having to build and maintain multiple spoofed pages and domains.

What does this mean for your organization?

Dynamic data entry attacks are a sophisticated way for attackers to harvest credentials and sensitive information. Even if this attack doesn’t seem like an immediate concern for you or your organization, it serves as the perfect illustration for the ever-changing threatscape your employees and organization face. In this case, and many others, it’s only after a research team or security vendor recognizes the threat that they can patch vulnerabilities. So where does that leave your employees and organization in the meantime?

Prepare employees with simulated phishing attacks

While your security tools may prevent many phishing attacks from ever reaching an inbox, your employees need to be prepared for each attack that slips through the cracks. In addition to security awareness and training, the best way to prepare employees for phishing attacks is by simulating the very attacks they are likely to see in the same environment they appear — their inbox.

Phishing simulators like Infosec IQ allow you to test your employees’ ability to detect and report phishing attacks ranging from simple drive-by attacks to attachment, business email compromise (BEC) or custom data entry attacks. Run a free Phishing Risk Test to see how vulnerable your organization is to phishing attacks and see who takes the bait.

Run Free Phishing Risk Test
Posted: December 18, 2019
Tyler Schultz
View Profile

Tyler Schultz is a marketing professional with over seven years of experience delivering SaaS solutions to organizations of all sizes. As a product marketing manager at Infosec, he is dedicated to helping organizations build strong cybersecurity cultures and meet their security awareness goals. He helps the Infosec team push the boundaries of effective and engaging security awareness training with a focus on experiential learning, gamification, microlearning and in-the-moment training. Tyler is a UW-Madison and UW-Whitewater graduate and Certified Security Awareness Practitioner (CSAP).