An illustration of the lengths that phishing campaigns will go to to harvest credentials. The lesson here is not to trust anything, even if it seems to be coming from a trusted source…:
[…] Check Point Research explained that the hackers managed to slip past Office 365’s security by abusing one of Oxford University’s SMTP servers, making the emails appear as if they were sent from the university, and thus confirmed as legitimate senders by Office 365. By hijacking the server, the hackers did not need to compromise actual university email accounts because they could generate as many fraudulent email addresses on the server as they wanted.
To redirect victims to the phishing page, the hackers also had to steal a legitimate domain to redirect traffic without alarming Microsoft’s security system. For this purpose, the attackers appropriated a Samsung Canada subdomain hosted on an Adobe Campaign (a platform used to manage marketing campaigns) server. Hackers took the existing link from an old, but legitimate Samsung Canada email campaign back in 2018, then repurposed it to force victims into a domain the cyberattackers owned.
While the marketing subdomain was commandeered by the hackers, “neither Adobe nor Samsung were compromised in the sense of exploiting a vulnerability,” Check Point Research said.