In recent months, the Reporting and Analysis Center Melani We have received reports of numerous phishing attacks that imitate such platforms and try to obtain access data. For example, the websites of Microsoft Office 365 or OneDrive are imitated. The quality and nature of the emails vary greatly. In certain emails, the recipient is asked to identify themselves in order to solve a problem with their account, or asked to view a document shared with them. In all cases, the recipient is redirected to a phishing page that imitates the provider's page; there, the username and password are supposed to be provided.

Tailor made scam

Once the criminals have access to the account, they can basically make the same settings as the account owner:

• Set up email forwarding so that they have access to all of the damaged person's correspondence. The forwarding is often done by means of a copy, so that this is not recognizable to the account holder.
• If the platform's email account is used as a reset email address for additional services, an attacker could have corresponding passwords reset and thus gain access to additional services.
• Attackers can gain access to additional documents as far as the user's rights allow. However, they can also request other users to release documents on behalf of their victim. Since they assume that this is being done by a company colleague, they will often comply with this request.

For criminals, these credentials are often a gold mine, allowing them to gather relevant information, such as business relationships, cases to be processed, structure and organization charts of the company, for a tailored fraud attempt. Likewise, it cannot be ruled out that such information is used for industrial espionage or resold.

Once an account is compromised, all of the compromised person's contacts can be affected. They often risk having an email sent to them with malware or phishing that appears to come from the account of a colleague or business partner. Using this method, the attackers can gain further access to the company network

The Melani Federal Agency makes the following recommendations

Technical measures:

• Use two-factor authentication wherever it is available.
• It is recommended to choose a service that provides enough logging functionality and makes the logs available in a suitable form for clients.
• Companies are advised to look for anomalous actions on employee accounts: Access from unusual locations or at unusual times, adding email forwards, etc.
• Mails should always be digitally signed (at least internally) and users should be trained to handle mails without an appropriate signature with particular care.
• When sending legitimate emails with a high potential for phishing abuse, such as sending invoices electronically, care should be taken to ensure that the links are not hidden behind HTML text and that the mails and/or documents are digitally signed.
• To make it less easy for your domain to be abused for phishing attempts, SPF, DKIM and DMARC protocols should be set up. This is also possible with some of the large collaboration providers, as for example with Office365

Organizational measures:

• The best way to combat phishing is to make employees aware of this phenomenon: It is essential that employees are trained to recognize and deal with suspicious and fraudulent emails. Sensitized employees know that they should not click on any links or open any attachments in the case of suspicious or fraudulent e-mails, but should inform their superiors or the IT managers immediately.
• The processes and risk-minimizing measures defined by the company must also be complied with at all times. In particular, all processes relating to payment transactions should be clearly regulated within the company and complied with by employees in all cases (e.g. dual control principle, signatures by two people collectively, processes in accordance with the internal control system).
• The phishing attempts can be found on the page www.antiphishing.ch be reported. This allows the Melani federal office to take quick measures to protect other users.

Press release Melani