Beware of the SEABORGIUM phishing scheme if you are a Microsoft client

by Alexandru Poloboc
Alexandru Poloboc
Alexandru Poloboc
News Editor
With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor,... read more
Affiliate Disclosure
  • This is a serious message and should be treated as such by all Microsoft clients.
  • The Redmond company issues a real warning regarding SEABORGIUM phishing.
  • Malicious third parties can infiltrate your system using made-up OneDrive emails.
phishing

Just when you thought that the latest Patch Tuesday security updates covered pretty much all gaps in Microsoft’s defense grid, the tech giant brings more disconcerting news.

The Redmond company’s Threat Intelligence Center, or MSTIC, has issued a serious warning about a phishing campaign called SEABORGIUM.

This isn’t a novelty to security experts, as this scheme has been around since basically 2017, Microsoft made an important blog post regarding SEABORGIUM.

We are about to show you the ways it operates by looking at some comprehensive guidance that could help potential victims avoid it.

How does the SEABORGIUM phishing scheme work?

We know you are now probably wondering what makes this phishing campaign so dangerous to Microsoft users.

Well, you should know that it is actually the way malicious third parties initiate the attack. Firstly, they have been seen to conduct reconnaissance or thorough observation of the potential victims using fraudulent social media profiles.

As a result, a lot of email addresses are also created in order to impersonate real IDs of authentic persons to contact the chosen targets.

Not only that, but the potentially harmful emails can also come from so-called important security firms, offering to educate users on cybersecurity.

Microsoft also specified that the SEABORGIUM hackers deliver malicious URLs directly in an email or via attachments, often imitating hosting services like Microsoft’s own OneDrive.

Furthermore, the tech giant also outlined the use of the EvilGinx phishing kit in this case used to steal the credentials of victims.

As the company said, in the simplest case, SEABORGIUM directly adds a URL to the body of their phishing email.

However, from time to time, malicious third parties leverage URL shorteners and open redirects to obfuscate their URL from the target and inline protection platforms.

The email varies between fake personal correspondence with hyperlinked text and fake file-sharing emails that imitate a range of platforms.

The SEABORGIUM campaign has been observed to use stolen credentials and directly sign in to victim email accounts.

Thus, based on the experience of cybersecurity experts responding to intrusions from this actor on behalf of our customers, the company confirmed that the following activities are common:

  • Exfiltration of intelligence data: SEABORGIUM has been observed exfiltrating emails and attachments from the inbox of victims.
  • Setup of persistent data collection: In limited cases, SEABORGIUM has been observed setting up forwarding rules from victim inboxes to actor-controlled dead drop accounts where the actor has long-term access to collected data. On more than one occasion, we have observed that the actors were able to access mailing-list data for sensitive groups, such as those frequented by former intelligence officials, and maintain a collection of information from the mailing-list for follow-on targeting and exfiltration.
  • Access to people of interest: There have been several cases where SEABORGIUM has been observed using their impersonation accounts to facilitate dialog with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties. The nature of the conversations identified during investigations by Microsoft demonstrates potentially sensitive information being shared that could provide intelligence value.

What can i do to protect myself from SEABORGIUM?

All of the above-mentioned techniques that Microsoft said are used by the hackers can actually be mitigated by adopting the security considerations provided below:

  • Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware.
  • Configure Office 365 to disable email auto-forwarding.
  • Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
  • Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
  • Require multifactor authentication (MFA) for all users coming from all locations including perceived trusted environments, and all internet-facing infrastructure–even those coming from on-premises systems.
  • Leverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number matching. Avoid telephony-based MFA methods to avoid risks associated with SIM-jacking.

For Microsoft Defender for Office 365 Customers:

  • Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants.
  • Enable Zero-hour auto purge (ZAP) in Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
  • Configure Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
  • Use the Attack Simulator in Microsoft Defender for Office 365 to run realistic, yet safe, simulated phishing and password attack campaigns within your organization. Run spear-phishing (credential harvest) simulations to train end-users against clicking URLs in unsolicited messages and disclosing their credentials.

With all this in mind, you should think twice before opening any type of attachment that comes in an email from a questionable source.

You might think a simple click is harmless, but in fact, it is all the attackers need to infiltrate, compromise, and take advantage of your data.

Have you noticed any suspicious activity lately? Share your experience with us in the comments section below.

This article covers:Topics: