SamurAI Cyber Analysts Uncover Phishing Campaign Exploiting Microsoft Planner
Published:

In early August, the sharp-eyed cyber analysts in the SamurAI SOC (Security Operations Center) uncovered a new, sophisticated phishing campaign where cybercriminals exploited Microsoft Planner – a tool designed to help businesses collaborate, plan, organize, and assign tasks. This clever attack involved impersonating official Planner communications to trick users into interacting with malicious content, ultimately leading to compromised credentials and unauthorized access.
The Devious Attack Strategy
In this phishing campaign that targeted multiple Managed Detection & Response (MDR) clients, each recipient received a personalized phishing email with a unique identifier embedded in the URL. The email subject lines closely mimicked legitimate Microsoft Planner notifications, typically stating:
Subject: “You have been assigned to a new team in Company Name Planner.”
The attackers used convincing sender email addresses from either compromised domains or their own malicious infrastructure. For example, in one attack, addresses such as ad.me@rstravelslonavala.com and ad.min@fellowsports.com were used, with the sender names appearing as “Planner on behalf of your organization.” These subtle details helped maintain the illusion of legitimacy, increasing the likelihood that employees would engage with the email.
Unveiling the Phishing Mechanism
The phishing emails contained links that directed users to a phishing redirector, which then forwarded them to a subdomain hosted by “EvilProxy,” a notorious adversarial toolkit used to intercept login credentials. The redirector was designed to screen users before sending them to the actual phishing site.
These phishing redirectors were hosted on compromised websites with previously good reputations, allowing them to bypass common security filters. Once a user landed on the redirector page, it would load the targeted company’s favicon and name, with “VPN” appended to it. Next, the user’s connection underwent various checks, including anti-bot and anti-VPN verification, performed on the server side. If the victim’s connection failed these checks, they were shown a generic error message: “We couldn’t load this page. Please refresh the page or check your internet connection.” However, if the checks were passed, the user was forwarded to a phishing proxy.
The phishing proxy acted as a man-in-the-middle (MITM), intercepting the user’s credentials while they believed they were interacting with Microsoft’s legitimate login page.
Fortifying Defenses from Phishing Emails
In response to this campaign, our cyber analysts in the SamurAI SOC developed and updated custom Sigma rules to detect these specific tactics. These rules are designed to identify malicious patterns embedded in phishing emails, phishing redirectors, and EvilProxy proxies. We are always passionate about sharing our insights and knowledge with the community. Check out several of our Sigma rules and insights on our Github page here
Conclusion
This phishing campaign highlights how threat actors are becoming more creative, exploiting trusted platforms like Microsoft Planner to target business users and steal sensitive credentials. By leveraging these Sigma rules, security teams can proactively identify and mitigate malicious phishing activities, protecting their organizations from credential theft. Remember that continuous education, regular cybersecurity exercises, and a culture of caution can make all the difference in safeguarding your personal and organizational data. Stay alert, stay informed, and stay protected.
Are you unsure if your business is safe and protected from cybercriminals? Let’s talk.
By taking proactive measures and remaining vigilant, we can collectively defend against cyber threats and safeguard sensitive data from exploitation. Let’s prioritize cybersecurity and work together to ensure a safer digital environment for all. Fill in the form and we’ll contact you.