|
While Office 365 is one of the most prevalent office suites out in the market today, its users can’t rest easy. Cybercriminals and threat actors will always find ways to abuse the most popular brands in various ways.
Office 365 has hundreds of millions of active users, and this userbase can make it a pretty lucrative target for many kinds of cyber attackers. In fact, over the past few months, the suite has been abused in several attacks, including:
There are tons of other events, of course, over the years since its launch, including vulnerability exploitation and other cyber attacks. In the realm of cybersecurity, we know that prevention is better than cure where possible. So we sought to provide Office 365 users a list of domains, subdomains, and IP addresses that they may do well to steer clear of in light of the many attacks that may be targeting them.
To obtain an initial sample that we then analyzed to build an exhaustive list of artifacts, we looked for domains and subdomains containing the strings “office 365” and “o365” from 1 June 2021 alone. Our initial list gave us:
To see how many of these domains and subdomains could be publicly attributed to Microsoft, we removed duplicates from the sample. A bulk WHOIS lookup gave us active WHOIS records for 656 domains and a very small percentage (5%) were most likely legitimate based on shared registrant details (i.e., they are the same as those indicated in microsoft[.[com’s WHOIS record). Very few of them were owned by identifiable individuals or companies, apart from Microsoft.
Subjecting 10% of the total sample (i.e., domains and subdomains) to malware database checks showed that:
Examples of the suspicious domains/subdomains include:
The following, meanwhile, are examples of those classified as malicious:
DNS lookups revealed that the 656 domains resolved to 1,414 IP addresses. Querying 10% of these on a malware database revealed that 24% were tagged “malicious” while 2% were dubbed “suspicious.”
Examples of the malicious and suspicious IP addresses are:
Passive DNS checks on the IP addresses via reverse IP/DNS queries gave us a list of 3,911 additional unique domains and subdomains. Note that the number of connected domains and/or subdomains per IP address was limited to five.
Malware database checks for these domains and subdomains revealed that some were tagged “malicious” and “suspicious” on VirusTotal, including:
There may be a lot more as we were only able to screen a few of the resulting connected domains and subdomains.
Given our findings and the list of artifacts that we acquired, Office 365 users, individuals and companies alike, need to be wary of the suspicious domains, subdomains, and IP addresses and block access to and from those that are malicious. A lot of these could figure in phishing attacks spoofing Office 365 or worse.
If you want to get a copy of the Office 365 threat artifacts we collated to enhance your network protection or want to start your own investigation, please contact us.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byWhoisXML API