Phishers Cast a Wider Net in the African Banking Sector

By Elmer Hernandez, Cofense Phishing Defense Center (PDC)

The Cofense Phishing Defence Center (PDC) has uncovered a wide-ranging attempt to compromise credentials from five different African financial institutions. Posing as tax collection authorities, adversaries seek to collect account numbers, user IDs, PINs and cell phone numbers from unsuspecting customers.

One such email, which was found in environments protected by Proofpoint and Microsoft, alleges to come from the South African Revenue Service’s (SARS) eFiling service. It claims a tax return deposit of R12,560.5 (South African Rands), approximately $700 USD, has been made to the user’s account and urges them to click on their financial institution in order to claim it. The real sender of the email, however, appears to be a personal Gmail address that may have been created or compromised by the adversaries.

Figure 1 – (Partial) Email Body

As seen in Figure 2, it is erroneously assigned a score of zero in Proofpoint’s “phishscore” metric.

Figure 2 – Proofpoint Header

Dragging and Dropping a Net

Each of the images embedded in the email corresponds to a different bank. Clicking on any of these will take the user to a spoofed login portal corresponding to the selected bank. The spoofed banks include ABSA, Capitec, First National Bank (FNB), Nedbank and Standard Bank, all of which are based in South Africa. The lookalike sites are located at 81[.]0[.]226[.]156 and hosted by Czech hosting provider Nethost. It should be noted that, at the time of analysis, only the site for Standard Bank was unavailable. Figures below -6 show the phishing portals imitating each bank.

Figure 3 – ABSA

Figure 4 – Capitec

Figure 5 – FNB

Figure 6 – Nedbank

All spoofed portals were created using Webnode, a website building service known for its friendly drag and drop features. Despite this ease of use, adversaries have kept things rather simple, as all portals are basic forms with a few or no images. The portals ask for a variety of personal information, including account numbers, passwords, PINs and even cell phone numbers.

Adversaries can access all entries directly from the form itself. They can also receive notifications to an email address of their choosing every time a submission is made; the Gmail account used to send the phishing email may also be where adversaries are notified of each and every new victim. Webnode also allows the export of form submission data in xml and csv formats.

Webnode therefore is an optimal way to store and retrieve stolen user data. There is no need for additional infrastructure, nor to compromise any third parties. As in the case of the Standard Bank portal, the risk of discovery and subsequent closure of spoofed sites means adversaries can lose access to any unretrieved information. However, this risk seems to be offset by the ease with which replacement spoofed sites can be created.

IOCs:

Malicious URLs:

  • hxxps://absa9[.]webnode[.]com
  • hxxps://capitec-za[.]webnode[.]com
  • hxxps://first-national-bnk[.]webnode[.]com
  • hxxps://nedbank-za0[.]webnode[.]com
  • hxxps://standardbnk[.]webnode[.]com

Associated IPs:

  • 81[.]0[.]226[.]156

 

How Cofense Can Help:

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence™. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 38237 and a YARA rule.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Fryday – Risk Management and Phishing Defense

The very act of running an organization includes risk. Successful business leaders understand what those risks are and how to manage them. Operating information systems are no different – they are at risk by nature, but IT and security teams need to recognize those risks and manage them successfully. Here to talk about risk management and phishing defense is Pete Smith, Cofense Director of Product Management for our Triage and Vision phishing defense solutions.

Learn more

Cofense Triage

Cofense Vision

Cofense Intelligence

Questions or comments? Reach us at [email protected]

Learn more about how phishing awareness training can help your organization defend against changing phishing threats.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 24, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine phishing email threats in minutes.   

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s examples see the continued use of macro-laden Microsoft Office documents, which have been a top delivery mechanism of malware for years.

TYPE: Malware – QakBot

DESCRIPTION: Response-themed emails deliver embedded URLs to VBS scripts to download the QakBot banking trojan. Because the phishing email is a reply to a legitimate chain, these attack URLs are often skipped by URL protection methods.

TYPE: Malware – Pyrogenic

DESCRIPTION: Finance-themed emails deliver embedded URLs to JAR files to download the Pyrogenic Stealer. Though obfuscated, the stealer’s code is rather straight forward, and yet frequently avoids detection.

TYPE: Credential Theft 

DESCRIPTION: Finance-themed emails a management company to deliver embedded OneNote links. The OneNote page contains different versions with links pages crafted to steal credentials. Hosted OneNote notebooks are becoming more popular in phishing attacks.

TYPE: Malware – FormGrabber

DESCRIPTION: Order-themed emails spoofing a vendor delivers the FormGrabber malware via a CVE-2017-0199 to CVE-2017-11882 download chain. This phishing campaign is included in Cofense’s free COVID-19 YARA Rules.

TYPE: Malware – NanoCore

DESCRIPTION: Finance-themed emails deliver an embedded DropBox link to a 7z archive containing the GuLoader executable. Once clicked, the GuLoader downloads and executes NanoCore RAT from Microsoft OneDrive.

TYPE: Credential Theft 

DESCRIPTION: Document-themed emails deliver embedded Google Cloud Storage (GCS) links. The links harvest email login credentials and exfiltrate to a non-GCS location.

TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed emails spoof the United Kingdom government and HRMC to deliver embedded URL shorteners from tinyurl and is[.]gd. The URL shorteners redirect to a phishing URL that uses disc[.]us and appears to allow you to ‘claim your tax refund’. The phishing URL harvests personal information, credit card and issuer details.

TYPE: Malware – TrickBot

DESCRIPTION: Coronavirus-themed emails deliver an attached Excel spreadsheet which exploits CVE-2017-11882 and includes an Office Macro, both of which are used to drop and run a VBS script. This script then downloads and runs TrickBot.

TYPE: Credential Theft

DESCRIPTION: Voicemail Notice-themed emails deliver an embedded link to a credential phishing landing page that is spoofed to look like a Microsoft Outlook sign in page.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations invest in phishing awareness training for employees and provide a tool to report phishing emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Fryday – Pentesting and Phishing Defense

Organization seek out security through various means – risk analysis, regulatory compliance, alignment to security frameworks – but can never really be sure they are secure. That’s where pentesting comes in – evaluating security controls through an attack methodology. Given the prevalence of phishing in compromises and breaches, how does pentesting take advantage of this? Here to discuss pentesting and its importance in phishing defense is Soteria co-founder Paul Ihme.

Learn more

Soteria

Questions or comments? Reach us at [email protected]

Discover how cybersecurity awareness training can help your organization defend against changing phishing threats.

Chronology of COVID-19 Phish Found in Environments Protected by Proofpoint During the Pandemic

Cofense was one of the first to report on the risk of COVID-19 themed phishing threats and launched its Coronavirus Infocenter on March 12, 2020. Since that time, we’ve seen no slow down. Every day we see new examples. And while the tactics and schemes may differ, one thing remains consistent: phishing attacks are bypassing secure email gateways, and gateways are not stopping the attacks.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

SEE THE PHISHING THREATS THAT ARE SLIPPING BY YOUR EMAIL GATEWAY
FREE FOR 90 DAYS!

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense Phishing Defense Center (PDC) found in environments protected by Proofpoint – detected by humans, analyzed with Cofense Triage, and quarantined by Cofense Vision.

Email Examples

A Credential Phish promising information about a COVID-19 vaccine that includes .png attachments and delivers a URL leading to a sharepoint.com site.

March 19, 2020

A spoofed email pretending to be from the World Health Organization delivers a malicious URL.

March 23, 2020

A Credential Phish crafted to look like a Dropbox-hosted document actually leads to storage.googleapis.com. Cofense has seen Dropbox phish since 2014.

Another Credential Phish that spoofs an organization’s Human Resources department and delivers a link to a login page designed to steal corporate credentials.

A Credential Phish crafted to look like a corporate communication provides a link to hb-bonusclaim.com and a login page designed to steal corporate credentials.

March 24, 2020

A Credential Phish with an apparent PDF attachment is actually an image linked to a Microsoft Sway-hosted page and eventually to a page designed to steal corporate credentials. Sway usage in phishing campaigns has been increasing.

March 26, 2020

A Credential Phish that appears to be a voice mail with a COVID-19 message but leads to a URL hosted on samsungusa.com.

March 29, 2020

A Credential Phish containing a link to a Dropbox-hosted resource, supposedly a PDF document, but that leads to a web page designed to steal corporate credentials.

March 30, 2020

Another Credential Phish requesting payment and prompting for corporate credentials.

March 31, 2020

A Credential Phish using a Microsoft Word attachment that redirects the victim to a Microsoft OneNote document, eventually leading to a page designed to steal corporate credentials. Read more about the use of OneNote in phishing attacks.

Another Credential Phish, this one offering an investment opportunity but delivering a link that leads to a web page designed to steal corporate credentials.

A Credential Phish designed to look like a fax transmission delivers a link leading to a web page designed to steal corporate credentials.

April 1, 2020

A Credential Phish that spoofs Microsoft SharePoint but leads to a web page designed to steal corporate credentials. Phishing attacks using SharePoint continue to be a problem for all SEGs.

April 2, 2020

A spoofed email pretending to be the US Department of Health and Human Services delivers a password-protected malicious Microsoft Word document.

April 3, 2020

A spoofed email pretending to be the World Health Organization provides a link to innocentminds.com that leads to a web page designed to steal corporate credentials.

April 5, 2020

A spoofed email pretending to be a healthcare professional delivers a Microsoft Excel document containing ZLoader, a malicious loader first seen in 2016. Read how Cofense Triage stopped a ZLoader attack.

April 10, 2020

A spoofed email pretending to be Human Resources delivers a link to a Google Docs-hosted page that leads to the installation of TrickBot, a banking trojan developed in 2016 and still seen reaching inboxes.

April 13, 2020

Another phish leveraging Google services (FirebaseStorage), this one is a Credential Phish with a URL that leads the victim to a web page designed to steal corporate credentials. Read more about attacks leveraging Google infrastructure.

A Credential Phish spoofing Outlook (Microsoft) delivers a link to a godaddysites.com hosted page, leading the victim to a web page designed to steal corporate credentials.

April 14, 2020

A Credential Phish spoofing the National Health Service promises a document noting confirmed cases of COVID-19, but leads to a web page designed to steal corporate credentials.

April 15, 2020

A Credential Phish crafted to appear like a corporate communication that leads to a Microsoft OneDrive site. The link leads to a web page designed to steal corporate credentials.

A spoofed email pretending to be a business leader is actually an attempted Business Email Compromise (BEC), seeking to trick the victim into replying.

April 21, 2020

A Credential Phish spoofing the Internal Revenue Service and promising tax relief information hosted in DocuSign. The actual link leads to playdemy.org and leads to a web page designed to steal corporate credentials.

April 24, 2020

Another spoofed email that is actually an attempted Business Email Compromise (BEC) attack using a COVID-19 theme. BEC attacks have been growing for years and SEGs still aren’t blocking them.

April 25, 2020

Yet another BEC attempt, this time from a business executive using an email reply strategy and needing gift cards.

April 28, 2020

Another COVID-19 themed phishing attack, this one embeds an image that looks like PDF attachments but actually is linked to a website designed to steal corporate credentials.

Claiming to be a link to an electronic fax from “The Fax Team”, the embedded link actually leads to a website designed to steal corporate credentials.

April 29, 2020

More COVID-19 themed phishing attacks, this one providing a link to a trusted Dropbox source. The victim is led to a website designed to steal corporate credentials.

May 4, 2020

Spoofing the Internal Revenue Service, this phishing attack delivers an embedded link that leads to a website designed to steal corporate credentials. Read more in the Cofense Blog.

May 5, 2020

Another phishing attack using a Dropbox link to lead the victim to a website designed to steal corporate credentials.

 

May 6, 2020

This phishing attack spoofs the Public Health Agency of Canada and delivers a link that will lead the victim to a website designed to steal credentials.

  

Spoofing a well-known bank, this phishing attack purports to have a large file needing to be downloaded from a Microsoft Excel Document Portal but will lead the victim to a website designed to steal credentials.

  

Another spoof of the Public Health Agency of Canada, this one also delivers a link that leads to a website designed to steal credentials.

  

This phishing attack embeds an image that looks like email content. Clicking it leads the victim to a website designed to steal credentials.

  

May 7, 2020

Combining a COVID-19 theme with an emergency request by an executive, this Business Email Compromise attempts to lure the victim into purchasing gift cards.

  

May 8, 2020

Looking to capture Netflix credentials, this phish may take advantage of people’s propensity for password re-use, putting corporate credentials at risk. Netflix spoofs aren’t just for consumers anymore.

  

May 10, 2020

Another BEC, this one pretending to be the financial director, tricks the victim into sending the attacker outstanding invoices, which can be used in attacks against 3rd parties.

  

May 11, 2020

Another embedded image designed to look like attachments but actually lead to a credential-stealing website.

  

With some organizations offering a spam filtering service to their employees, phishing threat actors are taking advantage to mask their attacks as pending deliveries. This link, however, leads to a website crafted to steal credentials.

  

May 14, 2020

Cloud sharing platforms like Dropbox are often trusted by organizations and employees alike. This phishing attacks exploits that trust to direct the recipient to a malicious website designed to steal credentials.

  

Another phishing email that embeds an image designed to look like an attachment. Clicking the image takes the victim to a website designed to steal credentials.

 

May 18, 2020

This spoof of a financial “partner” is actually a Business Email Compromise attempt seeking to lure the victim into a financial transaction.

 

The problem of malicious emails evading secure email gateways is not going away. No perimeter control can keep up with the velocity of shifting techniques used by attackers. That’s why a well-conditioned workforce and a security operations team equipped with the tools needed to rapidly detect and quarantine threats is imperative.

Want to discover more about the phishing attacks your SEG is missing? Sign up for 3 free months of Cofense Intelligence, the best human-vetted phishing intelligence in the world.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 17, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.   

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint.  We note that the vast majority are Credential Theft attacks, which Cofense predicted would surge over 15 months ago. Today, they still remain a significant threat.

TYPE: Malware – Agent Tesla

DESCRIPTION: In 2019, Cofense Intelligence identified the Agent Tesla keylogger as a top phishing threat. 7 months later, this malware is still reaching inboxes. This example delivered an embedded URL, luring the victim with a purchase order.

TYPE: Credential Theft 

DESCRIPTION: Phishing threat actors love to leverage the trust that their victims and their SEGs place in online hosting platforms. This attack starts with a WeTransfer link that eventually steals email credentials via a Microsoft OneDrive-hosted file.

TYPE: Credential Theft 

DESCRIPTION: This attack takes a page from the spammer’s guidebook, seeking to obfuscate the sender address to slip through perimeter defenses. It spoofs Netflix to deliver a shortened URL leading to a phishing page.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing attacks are both popular and successful at reaching inboxes to victimize recipients. This phish takes advantage of familiarity with Microsoft Office365 trick victims into clicking the embedded link and giving up their email credentials.

TYPE: Credential Theft 

DESCRIPTION: Many organizations let their SEG filter questionable email and empower the recipients to review and allow or block. Crafty phishers spoof the concept to get their victims to click the links. These lead the victim to a website designed to steal their email credentials.

TYPE: Credential Theft 

DESCRIPTION: Another phish exploiting a trusted platform. This example spoofs the Adobe Document Cloud with an image linked to a website designed to steal Adobe login credentials.

TYPE: Credential Theft

DESCRIPTION: Using Coronavirus as the premise, this attack spoofs a legitimate bank informing the recipient that they need a new bank card. The attackers steal not only the victim’s banking credentials, but their address, phone number and PIN.

TYPE: Credential Theft 

DESCRIPTION: Have we mentioned attackers leverage trusted platforms? This phish offers a Microsoft OneDrive-hosted invoice in PDF form. It collects the victim’s login credentials and then sends them to a legitimate PDF hosted by the Federal Reserve.

TYPE: Credential Theft

DESCRIPTION: Yet another attack using Microsoft infrastructure – this time SharePoint – to host portions of the attacker’s campaign. This one is a hosted PDF leading to a web page designed to steal credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

MFA Bypass Phish Caught: OAuth2 Grants Access to User Data Without a Password

By Elmer Hernandez, Cofense Phishing Defense Center (PDC)

The Cofense Phishing Defense Center (PDC) uncovered a phishing tactic that leverages the OAuth2 framework and OpenID Connect (OIDC) protocol to access user data. The phish is not a typical credential harvester, and even if it was, Multi-Factor Authentication (MFA) wouldn’t have helped. Instead, it attempts to trick users into granting permissions to a rogue application. This is not the first time the tactic has been observed, but it’s a stark reminder that phishing isn’t going to be solved by Multi-Factor Authentication.

Using the lure of a Q1 bonus, the email is crafted to appear to be a normal invite to a SharePoint hosted file. The prospect of receiving an increase to their salary is an effective lure that can lead users to fall prey.

Figure 1 – Email Body

After clicking on the link, users are taken to the legitimate Microsoft Office 365 login page at https://login.microsoftonline.com (Figure 2). However, if one inspects the URL in its entirety, which average users are unlikely to do, a more sinister purpose is revealed.

Figure 2 – O365 Login Page

Anatomy of a URL

First, a quick primer: applications that want to access Office 365 data on behalf of a user do so through Microsoft Graph authorizations. However, they must first obtain an access token from the Microsoft Identity Platform. This is where OAuth2 and OIDC come in. The latter is used to authenticate the user who will be granting the access, and if authentication is successful, the former authorizes (delegates) access for the application. All of this is done without exposing any credentials to the application.

Figure 3 – Entire URL

The response_type parameter denotes the type of access being requested to the Microsoft Identity Platform /authorize endpoint. In this case, both an ID token and an authorization code (id_token+code) are requested. The latter will be exchanged for an access token which will, in turn, be presented by the application to Microsoft Graph for data access.

Next, the redirect uri parameter indicates the location to which authorization responses are sent. This includes tokens and authorization codes. As we can see, responses are sent to hxxps://officehnoc[.]com/office, a domain masquerading as a legitimate Office 365 entity, located at 88[.]80[.]148[.]31 in Sofia, Bulgaria and hosted by BelCloud.

Moving on, the scope parameter shows a list of permissions the user gives to the application (note “%20” represents a blank space). These allow the application to read (read) and/or modify (write) specific resources for the signed in user. If the “All” constraint is present, permissions apply for all such resources in a directory.

For example “contacts.read” enables the application to read only the user’s contacts, whereas “notes.read.all” allows it to read all OneNote notebooks the user has access to, and “Files.ReadWrite.All” to both read and modify (create, update and delete) all files accessible to the user, not only his or her own.

If the attackers were successful, they could grab all the victims’ email and access cloud hosted documents containing sensitive or confidential information. Once the attacker has sensitive information, they can use it to extort victims for a Bitcoin ransom. The same permissions can also be used to download the user’s contact list to be used against fresh victims. Using the address book and old emails would allow the attacker to create hyper-realistic Reply-Chain phishing emails.

Perhaps most concerning however is “offline_access” As access tokens have an expiration time, this permission allows the application to obtain refresh tokens, which can be exchanged for new access tokens. Therefore, users need only to authenticate and approve permissions once to potentially enable indefinite access to their data.

Finally, we find openid and profile which are technically scopes in themselves; openid indicates the application uses OIDC for user authentication, while profile provides basic information such as the user’s name, profile picture, gender and locale among others. This information, known as claims, is sent to the application in the ID token issued by the /authorize endpoint.

After signing in, the user will be asked to confirm one last time that he or she wants to grant the application the aforementioned permissions. If users fail to act, it will be up to domain administrators to spot and deal with any suspicious applications their users might have misguidedly approved.

The OAuth2 phish is a relevant example of adversary adaptation. Not only is there no need to compromise credentials, but touted security measures such as MFA are also bypassed; it is users themselves who unwittingly approve malicious access to their data.

Network IOC IP
hxxps://officehnoc[.]com:8081/office 88[.]80[.]148[.]31

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots of real phish that have evaded secure email gateway detection and other helpful resources so you can help keep your organization protected.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Fryday – Beyond the Inbox

Even with users reporting phishing attacks and the best analysis and response tools, there’s a chance someone has already become a victim. Security teams must race the clock to find Indicators of Compromise to identify infected endpoints and spreading malware. In this episode, we’re joined by Alan Rainer, Senior Threat Analyst at Kivu Consulting to discuss how anti-phishing solutions can go beyond the inbox to find and neutralize threats.

Questions or comments? Reach us at [email protected]

New Phishing Scam Targets Teleworkers with Bogus Microsoft Teams Notification

By: Kian Mahdavi, Cofense Phishing Defense Center

With the influx of remote workers, it’s a perfect opportunity to flood people’s inboxes with malicious emails and fake links. The Cofense Phishing Defense Center (PDC) recently uncovered a phishing campaign that targets employees to harvest their Microsoft credentials. Ironically, the phish was found in an environment protected by Microsoft’s own secure email gateway (SEG). The phishing email, which was reported to the PDC using the Cofense Reporter button, included a well thought out “AudioChat” notification link supposedly from Microsoft Teams.

Teams is one of the most popular platforms for remote employees. Predictably, the threat actors have taken this into consideration – especially during the COVID-19 pandemic with millions of people teleworking. We expect this trend to continue with similar communication platforms.

Figure 1: Email Body of an official Microsoft Teams example notification

Figure 2: Email Body of illegitimate Microsoft Teams notification

Credit where credit’s due, we were impressed by the effort of the threat actor and their high-quality social engineering tactics. The subject line reads “Chat Message in Teams”- is this just an ordinary notification?

The email content has perfect similarities between Microsoft’s services; in particular, it incorporates matching font size and color as well as the overall layout. The email also includes the generic ‘tips’ section towards the bottom half of the message, evident above in Figure 2. However, there’s a catch: despite the solid efforts of the email content, there are a few tell-tale indications this is a phish. The most obvious sign is the sender’s lengthy spoofed email address:

matcnotification[.]teamadmin_audidsenderderweeu44we7yhw[@]ssiconstructionnw[.]com

The words “notification” and “teamadmin” have been skilfully included within the account name. But more importantly, the TLD – “ssiconstructionwn” – does not contain the all-important ‘Microsoft’ reference. No prize for guessing, it is a construction company located in Seattle, Washington that the attacker has spoofed. Since the TLD is from a legitimate source, not only does it pass basic email security checks, such as DKIM and SPF, but also provides HTTPS displaying the essential green lock to the left of the URL, located below in Figure 3 – a valiant effort on behalf of the threat actor.

On top of that, the text displays: “Teammate sent you an offline message.” Notice the message practices a generic word: “teammate” rather than the specific name of the sender. Contradicting itself, the email includes an initial (JC) of the supposed sender within the avatar, further hindering the legitimacy of the email and raising suspicion.

As mentioned above, the user is requested to click on the “16 second AudioChat,” and once hovered, displays the following link:

hXXps://us19[.]campaign-archive[.]com/?u=0dce22c9638fc90b5c17ea20a&id=6652f42d20

The user’s email address (now redacted) is embedded into the above URL. Companies often use various email protection solutions, and as a result, URLs are often packaged with security phrases. In this phishing campaign, the email contains the words “safelinks.protection” planted at the very beginning of the hover link. This could trip up inquisitive readers who might overlook the rest of the URL and click.

Figure 3: Initial Phishing Page

The phishing page above, where users are forwarded, adheres to Microsoft’s protocol (an almost picture-perfect replica); of course, we are overlooking the forged URL within the web-bar. Once ‘Open Microsoft Teams’ has been clicked, the user should have been automatically redirected to the Microsoft Teams application. Instead, the user is taken on a slight detour to the final link of this phishing attack:

hXXps://imunodar[.]com/wp-content/plugins/wp-picaso/Teams/

Figure 4: Secondary Phishing Page

Once credentials have been supplied, the campaign redirects the user to the authentic ‘office[.]com’ webpage, which could even be enough to assure users it was a genuine procedure. A user’s personal data could potentially be in the hands of the threat actor, assuming they logged in with their true Microsoft credentials.

Indicators of Compromise:

Network IOC IP
hXXps://us19[.]campaign-archive[.]com/?u=0dce22c9638fc90b5c17ea20a&id=6652f42d20
hXXps://imunodar[.]com/wp-content/plugins/wp-picaso/Teams/
104[.]118[.]190[.]227

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots of real phish that have evaded secure email gateway detection and other helpful resources so you can help keep your organization protected.

 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.