Staff Members’ Inbox Positive for Coronavirus Themed Phish

By Ashley Tran, Cofense Phishing Defense Center

From prime ministers, members of congress to celebrities and staff of nursing homes — many have been affected by COVID-19. And the worst part? Threat actors know this and are heavily weaponizing this pandemic, exploiting the fears and concerns of users everywhere. The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign found in environments protected by Microsoft and Symantec that not only impersonates a company’s management but also suggests that a fellow employee has tested positive for the disease, urging users to read an enclosed malicious attachment posed as “guidelines” or “next steps.”

As we have seen before and noted in previous Cofense blogs and media stories, Coronavirus themed phishing attacks are running rampant and attacking users across all industries. Although the attacks vary in method, the main takeaway is the same: all users must exercise the utmost caution and restraint in the face of emotionally jarring emails.

Figures 1-3: Email Bodies

The PDC has found multiple instances of this attack and a trend among them all. As demonstrated in Figures 1-3, the email subject lines are relatively similar: “Staff Member Confirmed COVID 19 Positive ID,” followed by a random string of numbers and that day’s date. The emotion these subject lines evoke in users are also the same: fear and curiosity. Emails appearing to be a “Team Update on COVID 19” and bearing their company’s name can convince end users to believe the email was sent internally. However, the true senders are revealed via the return paths:

Maga[@]tus[.]tusdns[.]com and ungrez[@]ssd7[@]linuxpl[.]com

Admittedly these emails would appear suspicious to most, but the threat actor is relying on the emotional subject line to overcome logic and push users to read just the first line of the sender information and nothing more.

The bodies of the emails have more variety and are worded differently, but the same main point: a fellow employee has the virus, so read this guideline we’ve attached to get more details or at least learn the “next steps” to take. To top it off the email is signed by “Management.”

The true part of this attack lies within the HTML file found in the email.

Figure 4 shows that the attachment has been detected as malicious by a multitude of services, however users won’t see this when they read the email.

Figure 4: VirusTotal Analysis

Figure 5: Phishing Page

Upon opening the attachment users are presented with a generic Microsoft login page, a frequently targeted brand. The difference with this phish, however, is the threat actor has superimposed the login box over a blurred document that may appear to users as the previously mentioned “guidelines” lending an even greater sense of legitimacy.

The email of the recipient is automatically appended to the username field via code in the HTML. In fact, the threat actor has painstakingly put the base64 for each of the recipient’s email addresses, which is then translated to a readable format when interacting with the phish. This snippet of code can be observed in Figure 6.

Figure 6: Email Bodies

Once a user navigates to the next page and inputs their password, the information is then sent to the compromised site:

hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423

This exchange of information can be viewed by opening developer tools on any browser and navigating to the networking tab as shown in Figure 7.

Figure 7: Phishing Page

The code found within the HTML file that hosts the phishing content employs typical malicious tactics. For example, as seen in Figure 8, the code does not look like a typical HTML code. This is because the threat actor has attempted to obfuscate their code, to make analysis as well as detection harder. However, this is nothing new for phishing campaigns that choose to utilize a HTML file. De-obfuscating the code and revealing some its methods is not difficult.

Figure 8: Obfuscated Code

To begin, the code is notably broken into different parts. Each of these parts may stand out to anyone with an eye for encoding as being Hex text and base64. These both can easily be decoded back into their original form, the true HTML code, by utilizing tools such as RapidTables and Base64 Decode.

Figure 9: De-obfuscated Code

After de-obfuscating the code, the true HTML is seen in Figure 9, revealing the threat actor has compromised, or at the very least utilized, a compromised site to host the style sheet for their phish:

hxxp://ibuykenya[.]com/vendor/doctrine/styles[.]css

Figure 10: Open Directory with Phish Resource Files

The following is the directory which the threat actor has used to store the style sheet for the phish, along with what appears to be two additional files, based on their last modified dates.

Within the code, the image seen in the background of the document can also be recovered. The image is hosted on ImgBB, yet another relatively benign image hosting site to which threat actors flock to host images for their attacks.

hxxps://i[.]ibb[.]co/dMcjCWC/image[.]png

Figure 11: Document Preview from Phish

Upon closer observation, the title of the document can be obtained. With a quick search, the image the threat actor has used to further legitimize this login page in the eyes of the user can be linked back to the legitimate document found in Figure 12.

Figure 12: Legitimate Document Utilized by Threat Actor

All these steps – the social engineering, the obfuscated code, use of official COVID health advisories and more-are designed to ensure users don’t detect the phishing attack is in progress. This phish also demonstrates the attacker’s need to employ layered techniques designed to avoid detection by email gateways, as well as the incident responder’s need for the right investigative tools to properly analyze, detect and quarantine this threat.

Network IOC  IP
hxxp://tokai-lm[.]jp/style/89887cc/5789n[.]php?98709087-87634423 150[.]60[.]156[.]116

 

How Cofense Can Help

Visit Cofense’s Coronavirus Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots and YARA rules as we continue to track campaigns. (edited) 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 3, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.   

The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint, which were detected by humans, analyzed with Triage, and quarantined by Vision.  

TYPE: Credential Theft 

DESCRIPTION: Phishing campaign spoofs the South African Revenue Service delivering embedded links to an illegitimate banking site established to steal credentials. 

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing campaign related to N95 masks delivering embedded links leading to a website established to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Quote Request-themed phishing campaign redirecting the victim to a Microsoft OneDrive page that led to a website established to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Purchase Order-themed phishing campaign redirecting the victim to a Dropbox page that led to a website established to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Invoice-themed phishing campaign delivering embedded links that lead to a website established to steal Outlook login credentials.

TYPE: Credential Theft 

DESCRIPTION: Document-themed phishing campaign delivering an embedded link to a Microsoft SharePoint-hosted OneNote document that leads to a website established to steal Office365 credentials.

TYPE: Malware – Banload

DESCRIPTION: Finance-themed phishing campaign delivering an embedded link to a Microsoft OneDrive-hosted .zip archive containing Banload malware.

TYPE: Credential Theft 

DESCRIPTION: Finance-themed phishing campaign delivering a .htm file crafted to look like an online document and prompting for email credentials to confirm the victim is not a robot.

TYPE: Malware – QakBot

DESCRIPTION: Response-themed phishing campaign delivering embedded links to VBS scripts that download the QakBot banking trojan.

TYPE: Credential Theft 

DESCRIPTION: Information-themed phishing campaign delivering embedded links to Google-hosted pages leading the victim to a page established to steal Office365 credentials.

TYPE: Malware – NanoCore

DESCRIPTION: Document-themed phishing campaign delivering embedded links to Microsoft OneDrive-hosted pages hosting GuLoader, which downloads the NanoCore Remote Access Trojan from Google Drive.

TYPE: Credential Theft 

DESCRIPTION: Document-themed phishing campaign spoofing a construction design and build organization delivering embedded Microsoft OneNote links that lead to a website crafted to steal email credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack.

We typically find 1 out of 7 employee-reported emails to be malicious.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Targeted Attack Uses Fake EE Email to Deceive Users

By Kian Mahdavi and Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has discovered a spear-phishing campaign designed to defraud corporate executives’ payment details by spoofing EE, a well-known UK-based telecommunications and internet service provider.  These spear phishing messages were reported to the Cofense PDC by end users whose email environments are protected by Microsoft 365 EOP and Symantec. This new, targeted campaign shows that while exploiting well-known telecommunications brands is nothing new, such phishing emails continue to go undetected by popular email gateways designed to protect end users, leading to possible theft of prized corporate credentials

Figure 1: Email Body

Threat actors sent a targeted email to a few executives, including one at a leading financial firm, with the subject line reading ‘View Bill – Error’ from a purchased top-level domain (moniquemoll[.]nl). These details in and of themselves may raise red flags to eagle-eyed recipients, as EE’s trademarked name isn’t included in any part of the full email address.

The malicious URL inserted within the text is:

hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo

The vague email indicates ‘we’re working to get this fixed’. At no point does the email give an indication what this error is. As we read on, the second hyperlink states ‘view billing to make sure your account details are correct’ to entice the recipient to click the phishing link.

The threat actor fails to include the correct registered office address, evident towards the bottom of the email. Once the threat actor’s social engineering does the trick and the user clicks one of the links, they are redirected to a phishing page.

Noted in Figure 2 below is the trusted HTTPS protocol (also displayed as the green padlock) within the URL, giving false hope to the user that network traffic is being encrypted, ensuring all data transferred between the browser and website is secure and not being eavesdropped on.

However, the threat actor even went to the trouble of obtaining SSL certificates for the domain to further gain end users’ trust. In fact, it has become much easier for site owners, including fraudsters, to obtain these certificates.

Figures 2 and 3: First and second phishing pages

The peculiar aspect is the message in which the threat actor included: ‘You will not be charged’ to reassure recipients and trick them into providing their payment information.  The user is then automatically redirected to the legitimate EE website, as displayed below in Figure 4, to avoid suspicion. This is a common tactic to make the user believe the session timed out or their password was mistyped.

Figure 4: Legitimate Redirect Login Page

At the time of writing, the phishing page is still live and active. To further validate the analysis of the investigation, we decided to input some fake credentials, allowing us to verify the transmitted TCP requests and redirects to the fraudster’s domain at hXXps://kbimperial[.]com/data[.]php.

Figure 5: TCP Retransmission Packets

Indicators of Compromise:

Network IOC IP
hXXps://fly-guyz[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/
hXXps://kbimperial[.]com/ee[.]co[.]uk[.]edcnymdsqmnydqnyo/logins
hXXps://kbimperial[.]com/data[.]php?
104[.]31[.]82[.]7
104[.]31[.]83[.]7
35[.]208[.]71[.]62

 

Discover how cybersecurity awareness training can help your organization defend against changing phishing threats.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Fryday – Pragmatic Threat Intelligence

Cybersecurity professionals are noted for their suspicious nature. They have to have it. But, whereas we can imagine a million threat vectors, there’s only so much time in the day and we’re forced to prioritize where we spend our resources protecting our organization. That’s where phishing threat intelligence comes in. Active threats and tactics – seen in the wild – can be more important to your organization’s defense than all the 0-days your mind can imagine. To discuss the pragmatic application of threat intelligence is Cofense Manager of Intelligence Solutions Engineering, Wes Smiley.

Resources:

Cofense Intelligence

Questions or comments? Reach us at [email protected]

Discover how phishing awareness training can help your organization defend against changing phishing threats.

Cofense Announces Additional Investment by BlackRock and Appointment of Tom McDonough to Board of Directors

LEESBURG, Va. – April 28, 2020 – Cofense®, the global leader in intelligent phishing defense solutions, today announced the appointment of Tom McDonough to its Board of Directors as well as an additional investment from funds managed by BlackRock Private Equity Partners to support Cofense’s growth strategies. Initially inked in 2018 and expanded in 2019, Cofense’s continued partnership with BlackRock provides additional growth capital to advance research and development as well as further the company’s global expansion.

“We are pleased to build upon our relationship with BlackRock following one of our strongest quarters in company history,” said Rohyt Belani, Cofense co-founder and chief executive officer. “Combined with recent enhancements to Cofense’s leadership structure and the addition of Tom to our board of directors, the company is well positioned to meet growth and profitability targets in the coming year.”

Cofense’s security operations offerings, Cofense Triage and Cofense Vision, help organizations stop phishing attacks in their tracks by detecting, identifying, and rapidly quarantining malicious emails that evade secure email gateways (SEGs) every day. Cofense has close to 2,000 enterprise clients in over 150 countries, representing every major vertical from energy, financial, healthcare to manufacturing and high technology. Since January 2020, Cofense has achieved the Federal Risk and Authorization Management Program (FedRAMP) In Process designation, launched a COVID-19 phishing resource center to help protect organizations and end users during this public health emergency, and expanded its leadership team with key executive additions from organizations such as Proofpoint. Poised for its next phase of growth, Cofense will continue investing in R&D to provide their customers with peak phishing defense across the organization.

As the newest member of Cofense’s board of directors, McDonough brings a proven track record of building and optimizing the performance of highly motivated teams that generate predictable revenue and profitable growth. During his career as an experienced board member and operating executive, including roles with Cisco and Sourcefire, he has managed private, early stage and public companies through international expansion, venture financing, IPOs, acquisitions and integration. McDonough’s extensive experience leading cyber security companies through hyper growth and major market transitions has contributed to the creation of more than $5B in shareholder wealth through two IPOs and four acquisitions at four different companies.

“It is truly an honor to join Cofense’s team as a board member,” said McDonough. “By putting the customer and innovation front and center, Cofense has developed and sustained a strong portfolio of solutions and established its position as a global leader in intelligent phishing defense. Looking ahead, I am very confident that Cofense’s vision, focused execution, expert team and robust product pipeline will enable the company to add to its history of growth and development.”

###

About Cofense
Cofense®, the leading provider of intelligent phishing defense solutions worldwide, is uniting humanity against phishing. The Cofense suite of products combines timely attack intelligence on phishing threats that have evaded perimeter controls and were reported by employees, with best-in-class security operations technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise. For additional information, please visit www.cofense.com or connect with us on Twitter and LinkedIn.

Media Contact
[email protected]

Phish Fryday – Phishing Defense

Phishing attacks are different than other attacks – they tend to be technology light and social manipulation heavy. Defending against these attacks requires a unique set of skills and tools. In this episode we speak with Cofense Director of Product Management Pete Smith to discuss the tools and skills needed for effective phishing defense.

Questions or comments? Reach us at [email protected]

Discover how cybersecurity awareness training can help your organization defend against changing phishing threats.

This Phish Uses Skype to Target Surging Remote Workers

By Harsh Patel

The Cofense Phishing Defense Center (PDC) recently unearthed a new phishing campaign spoofing Skype, the popular video calling platform that has seen a recent spike in use amid the need to keep employees connected as they work remotely. This phishing attack was found in email environments protected by Proofpoint and Microsoft 365 EOP, landing in end-users’ inboxes.

With so many people working from home, remote work software like Skype, Slack, Zoom, and WebEx are starting to become popular themes of phishing lures. We recently uncovered an interesting Skype phishing email that an end user reported to the PDC.

Figures 1 and 2: Email Body

For this attack, the threat actor created an email that looks eerily similar to a legitimate pending notification coming from Skype. The threat actor tries to spoof a convincing Skype phone number and email address in the form of 67519-81987[@]skype.[REDACTED EMAIL]. While the sender address may appear legitimate at first glance, the real sender can be found in the return-path displayed as “sent from,” which also happens to be an external compromised account. Although there are many ways to exploit a compromised account, for this phishing campaign the threat actor chose to use it to send out even more phishing campaigns masquerading as a trusted colleague or friend.

It is not uncommon to receive emails about pending notifications for various services. The threat actor anticipates users will recognize this as just that, so they take action to view the notifications. Curiosity and the sense of urgency entice many users to click the “Review” button without recognizing the obvious signs of a phishing attack.

Upon clicking ‘Review’ users will be redirected via an app.link:

hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5

Finally, to the end phishing page:

hxxps://skype-online0345[.]web[.]app

The threat actor has chosen to utilize a .app top-level domain to host their attack. This TLD is backed by Google to help app developers securely share their apps. A benefit of this top-level domain is that it requires HTTPS to connect to it, adding security on both the user’s and developer’s end, which is great…but not in this case. The inclusion of HTTPS means the addition of a lock to the address bar, which most users have been trained to trust. Because this phishing site is being hosted via Google’s .app TLD it displays this trusted icon.

Figure 3: Phishing Page

Clicking the link in the email, the user is shown an impersonation of the Skype login page. If a well-trained user inspects the URL, they will see that the URL contains the word Skype (hxxps://skype-online0345[.]web[.]app). To add even further sense of authenticity, the threat actor adds the recipient’s company logo to the login box as well as a disclaimer at the bottom warning this page is for “authorized use” of that company’s users only. The username is auto-filled due to the URL containing the base64 of the target email address, thus adding simplicity to the phishing page and leaving little room for doubt. The only thing left for the user to do is to enter his or her password, which then falls into the hands of the threat actor.

 

Network IOCs
hxxps://jhqvy[.]app[.]link/VAMhgP3Mi5
hxxps://skype-online0345[.]web[.]app

Discover how cybersecurity awareness training can help your organization defend against changing phishing threats.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time-based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Available Today: The Cofense Intelligence Q1 2020 Phishing Review

By Mollie MacDougall, Cofense Intelligence

Today, Cofense Intelligence released its Q1 2020 Phishing Review. This report highlights key phishing trends uncovered by Cofense Intelligence analysts, who spend every day analyzing current phishing campaigns and producing actionable phishing intelligence. This intelligence keeps our customers proactively defended against emerging phishing tactics, techniques and procedures (TTPs). Our analysts focus on campaigns that reach enterprise user inboxes, and report on the TTPs designed to evade secure email gateways (SEGs) and other network defense technology.

Report Highlights

The first quarter of 2020 began with a continued seasonal lull in malware volume and ended with a drastic spike in the quarter’s last six weeks, as the COVID-19 virus evolved from emerging crisis to global pandemic. While Emotet volume overall was lower than expected, phishing campaigns leveraging COVID-19 and remote work themes surged in March 2020.

Figure 1: Credential phishing campaign that leveraged COVID-19

While the widespread use of ransomware has not returned to its peak, Cofense Intelligence analyzed targeted ransomware campaigns using themes that leveraged the global pandemic. Ransomware operators have also upped the ante on several campaigns, combining ransomware infection with a data breach and releasing sensitive data if ransom is not paid. This strategy has garnered a great deal of attention in recent headlines, as it further extorts organizations who are prepared to recover from ransomware campaigns and otherwise would not pay off their attackers.

Several campaigns discovered by Cofense Intelligence last quarter used trusted sources to evade perimeter defenses. Organizations rely on trusted platforms and services to conduct efficient business operations, and threat actors are eager to abuse these trusted services to compromise users. Cofense Intelligence has analyzed multiple campaigns that have used trusted sources as a part of the infection chain. These sources include, but are not limited to, cloud services, customer/employee engagement surveys, and third-party connections.

Read our Q1 2020 Phishing Review for more detailed trends identified by Cofense Intelligence and to see our phishing predictions for the  months ahead. Spoiler alert: phishing campaigns are likely to increasingly focus on the upcoming United States general election as well as the global pandemic and the work and lifestyle shifts it has precipitated. We also assess that ransomware campaigns will very likely continue to increase. Finally, we predict that Emotet will again resume phishing campaigns in Q2.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Masquerade as HR Departments to Steal Credentials through Fake Remote Work Enrollment Forms

By: Kian Mahdavi, Cofense Phishing Defense Center

With the escalation of COVID-19, organizations are rapidly adjusting as they move their workforce to work from home; it’s no surprise that threat actors have followed suit. Over the past few weeks, the Cofense Phishing Defense Center (PDC) has observed a notable uptick in phishing campaigns that exploit the widely used Microsoft Sway application to steal organizational credentials and to host phishing websites. Sway is a free application from Microsoft that allows employees to generate documents such as newsletters and presentations and is commonly used by professionals to conduct their regular day to day work tasks.

In a new campaign, threat actors send emails with subject lines such as ‘Employee Enrollment Required’ and ‘Remote Work Access.’

Figure 1: Email body

The sender in Figure 1 claims to come from ‘Human Resources.’ Closer inspection, however, reveals the actual sender’s address – a purchased domain address ‘chuckanderson.com’ with no association to the HR team or the organization’s official mailing address.  The attack includes carefully thought out trigger words, such as ‘expected’ and ‘selection/approval,’ language that often trips up employees who are accustomed to receiving occasional emails from their local HR team, especially during this pandemic. Should users hover over the link within the email, however, they would see ‘mimecast.com’ along with ‘office.com,’ potentially and mistakenly deeming these URL(s) as non-suspicious.

By using trusted sources such as Sway to deliver malware or steal corporate credentials, such campaigns often evade Secure Email Gateways (SEGs) thanks to the trusted domains, SSL certificates and URL(s) used within the email headers.

Figure 2: Cofense PDC Triage flagging the known malicious URL

Numerous employees across a variety of departments within the same company received and reported this email to the Cofense PDC, with each email consistently redirecting users to similar Sway URLs.  These URLs were already known by our Cofense Triage solution and were identified as malicious, providing valuable context for our PDC analysts when they commenced their investigation.

As previously discussed, as legitimate domains and URLs were used, these campaigns remained undetected for longer periods of time, likely leading to a higher number of compromised account credentials. On the other hand, malicious content hosted on purpose-built phishing sites usually gets flagged much quicker, taken down earlier, and therefore leading to a much shorter ‘time to live’ period. In short, this attack was easy to execute, required minimal skill, and remained undetected by security technologies.

Figure 3: Virus Total URL Analysis  

Upon conducting a web search using reliable threat intelligence feeds, as shown above in Figure 3, the authenticity of URLs can be verified against trusted security vendors that have recently detected the attack, flagging them as ‘malicious/phishing’. Displayed in the top right-hand side of Figure 3 is the timestamp revealing the latest known update from a security vendor.

Figure 4: First phase of phishing page

Awaiting the user is the bait on a generic looking page, a ‘BEGIN ENROLLMENT’ button and once clicked, redirects to a document hosted on SharePoint as seen below in Figure 5.

Figure 5: Second phase of phishing page

Once employees enter their credentials and hit the ‘Submit’ button, their log-in information is sent to the threat actor – the end user is none the wiser that they have been successfully phished.

As employees have rapidly shifted to remote working, threat actors have started to look at ways they capitalize on the COVID-19 pandemic to spoof new corporate policies and legitimate collaboration tools to harvest valuable corporate credentials, a trend we anticipate will only continue to gain steam in the foreseeable future.

Indicators of Compromise:

First Hosted URL IP Address
hXXps://sway[.]office[.]com/5CgSZtOqeHrKSKYS?ref=Link 52[.]109[.]12[.]51

 

Second Hosted URL IP Address
hXXps://netorgft6234871my[.]sharepoint[.]com/:x:/r/personal/enable_payservicecenter_com/_layouts/15/WopiFrame[.]aspx 13[.]107[.]136[.]9

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots as we continue to track campaigns.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.