Phishing Measures in Teleworking (Remote Work) Environment|NTT DATA Philippines

Phishing Measures in Teleworking (Remote Work) Environment


The introduction of telework has accelerated as part of measures against Covid-19. As the use of cloud services progresses in combination with DX initiatives, cybercrime has also been on the rise and needs to be viewed in a different aspect than earlier.

In recent years, the number of companies in Japan that are working on digital transformation (DX) has increased and efforts to utilize digital technology for business transformation are progressing aggressively. Many companies are promoting telework as a part of work style transformation. Today, the Covid-19 global pandemic has accelerated the adoption of telework even more than ever. Thus this change in work style requires to secure a means of communication from remote areas and to have a working environment that is paperless. As a basis for business execution, the utilization of cloud applications (Software as a service (SaaS)) such as Office 365 is believed to be further promoted.

On the other hand, cyber attackers have been on the rise and are trying to intrude the IT premises where the IT systems are installed in offices (operations which is called “on-premises”). In particular, the heart of Windows-centric organizational systems, called Active Directory (AD), has been repeatedly targeted by cyber attackers. However, with the progress of DX and the use of cloud services, the data stored on the on-premises system is now being moved to the cloud. But this too now is being attacked by cyber-attackers who used to traditionally target only the conventional system are now also targeting cloud services also.

For example, the use of infrastructure for utilizing cloud services with single sign-on through so-called federation, such as ID linkage, is advancing today. There are a variety of products and services in this federation service, one such representative service is called Active Directory Federation Service (ADFS).

ADFS utilizes the existing on premise AD in order to enable the existing authentication infrastructure to be used as a means of ID linkage. In case of general ADFS configuration, when a user logs in to the cloud service used by the company, the user is redirected to the existing on-premises AD web log in screen called IdP (Id Provider). Since it is premised on the use of cloud services by remote work etc., connection restrictions are generally not applied to access these login screens. Therefore, cyber attackers can access to such login screens and are able to set up a fake websites. Then, by sending a phishing email to the target organization/individuals, it is possible to steal the user’s ID and password. As a result, confidential information such as emails or files stored in cloud service can be stolen, there are some actual cases of phishing damage that have been confirmed in Japan*1. As a counter measure, it is important to change the authentication process with the use of different authentication methods such as paswordless WebAuthn.

In addition, Office365 has a mechanism for extension called “App (sometimes called OAuth app, add-in, etc.)”. With App, users are able to reconfirm the recipients email in order to prevent sending to the wrong address, or translate the email with a single click. By default, all users can apply App to all applications of Office365. Therefore, cyber attackers can make office365 users to click the URL and approve the compromised app resulting in granting the attackers access to user’s outlook emails*2. For example, there are phishing emails claiming Office365 password is expiring, and users click the link in the text and accidentally approve the compromised App. There are already proofs of App overseas that have a potential to be used as ransomware, which attempts to make victims pay ransoms*3. Some readers might be wondering “why and how do attackers know who is using Office365”, but there is a way to do that. A method called “DNS Recon (domain name reconnaissance)” investigates the domain name used by the targeted company or organization and extracts information that can be used for attacks.


The above figure shows how DNS Recon is used to confirm office 365 usage from the domain named used by a particular company. “{MS=” in the above figure is a sign that the company is using Office 365. Since this information can be accessed by anyone, cyber attackers are able to check the SaaS used by the target company and they can send phishing emails faking as a service provider, thus it is possible the recipients of phishing emails can become victims. As a countermeasure against compromised App, the administrator of Office365 completely block users from freely deploying apps, or at least limiting them to the official Microsoft store apps. As telework is becoming more commonplace today, this article will encourage companies and organization to strengthen security measures.