Blog

Threat Spotlight: LOLSites — Living-off-the-Land Attacks Using Signed Microsoft Domains

“Listen to Dom de Vitto and Zach Garcia go deeper into LOLSites during our CISO Takeaways podcast episode.”

Cybersecurity Awareness Month is a perfect time to spotlight some of the most concerning trends in the cyber threat landscape. One of the rising threats involves Living-off-the-Land (LOL) tactics, where attackers leverage legitimate software, services, or domains to carry out malicious activities.

Let’s delve into how attackers exploit Microsoft-owned domains for these purposes, particularly through LOLSites. For more in-depth analysis of these threats, refer to Ontinue’s 1H 2024 Threat Intelligence Report.

LOLSites: Leveraging Trusted Infrastructure

LOL techniques exploit legitimate tools or software already present in the target environment to evade detection. This is what makes LOLSites so effective—they involve using signed Microsoft domains, such as sharepoint[.]com, to bypass traditional detection mechanisms.

Recently, there has been an increase in the use of Microsoft-owned domains in these attacks. The tactic works because these domains are seen as trustworthy, holding valid certificates that allow malicious activity to go unnoticed. The threat actors behind these attacks exploit the fact that organizations often allow trusted domains to bypass security measures.

The Anatomy of a LOLSites Attack: Phishing with a Twist

Here’s how a typical LOLSites attack unfolds, using an ‘attacker-in-the-middle’ approach to steal multi-factor authentication (MFA) codes:

  1. Phishing Email The attack begins with the user receiving a phishing email containing a malicious attachment or link.
  2. Malicious URL The attachment includes a URL pointing to a legitimate Microsoft-owned domain such as  company.sharepoint[.]com. This page will then redirect the user to a phishing site that mimics the Office365 login page.
  3. Certificate Validation The certificate for the site is legitimate, which helps the attackers avoid detection from traditional security measures.
  4. Credential Harvesting The user is tricked into entering their credentials into the imitation login page.
  5. MFA Interception The phishing site forwards the victim’s login credentials to the legitimate server in real-time, acting as a proxy. When the server prompts for multi-factor authentication, the site relays the request to the user, who unknowingly provides the code.
  6. Full Credential Access After the MFA step is completed, the legitimate server issues a session cookie. The AiTM phishing site intercepts this session cookie allowing the threat actors to remain logged into the targeted account.

How LOLSites Differ from Traditional Proxy Attacks

Unlike standard proxy attacks, where the victim’s MFA input is redirected to an external server (leading to potential certificate errors and alerts), LOLSites leverage legitimate domains that allow the interaction to proceed smoothly. The use of a valid Microsoft-owned domain ensures that the browser address bar contains the correct URL, further deceiving the victim into believing they are on a safe site.

Recommended Actions to Mitigate LOLSites Threats

To protect against LOLSites and other similar attacks, it’s crucial to remain vigilant:

  • Avoid Clicking Suspicious Links: Never enter credentials or sensitive information on a page accessed via a link in an unsolicited email or message.
  • Exercise Caution Even on Trusted Sites:  Users have traditionally been taught to recognize and avoid suspicious sites by validating the domain, such as micros0ft[.]com. However, even when a domain appears legitimate, users should remain vigilant about the sites they visit or are redirected to.
  • Employee Training and Awareness: Regularly train your employees to recognize phishing attempts and understand the risks of entering credentials into imitation sites.

Stay Informed and Proactive

As cyber threats continue to evolve, staying informed is your best defense. Ontinue’s Advanced Threat Operations (ATO) team is dedicated to monitoring these emerging threats and providing actionable insights. For more information on rising threats like LOLSites, check out Ontinue’s 1H 2024 Threat Intelligence Report, where you’ll find detailed analyses and recommendations to protect your organization from the latest cyber risks.

Cyber attackers are continually finding new ways to exploit trusted infrastructure. By understanding their tactics and taking proactive measures, you can significantly reduce the risk of falling victim to these sophisticated attack

Sharing
Article By

Advanced Threat Operations Team
Ontinue - ATO

Ontinue’s Advanced Threat Operations (ATO) team leverages proactive threat identification, analysis, and mitigation to empower our customers with the resilience needed to tackle the constantly evolving threat landscape.

Balazs Greksza

Domenico de Vitto

Rhys Downing

Manupriya Sharma