Credential Phishing: The Key to Your Company’s Vulnerabilities

By Jer O’Donovan and Anthony Wright, Cofense Phishing Defense Center

Employees tend to be bombarded with business communication emails: Microsoft teams messages, internal policy updates, deadline reminders, and more. Leveraging loud inboxes, threat actors broadcast malicious emails in a bid to harvest employees’ credentials by blending in with the noise.

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign whereby threat actors impersonate popular brands such as Microsoft and claim “the password for ‘…’ will expire today” as noted below in Figure 1. The image below showcases this phishing attack that even targeted our CEO, Rohyt Belani.

Naturally, Rohyt reported this campaign to the PDC via the Cofense Reporter button, allowing the PDC to investigate, remediate and respond back in around 60 seconds.

 

Figure 1: Initial Email

 

This attack preys on companies’ password policies. This could include changing passwords every 30 days or having a minimum character requirement. Employees may get legitimate monthly reminders asking them to update their password as it’s expiring soon. As a result, an employee may see this phishing attack and think nothing of it, then begin to engage with the fake request thinking they’re updating their password as they’ve done so legitimately in the past.

The text within the subject line in Figure 1, “Authentication Support,” implies that it’s originated from the authentic IT department, again, trying to appear legitimate.

There are no introductory phrases such as “Dear,” “Good Morning,” “Hello,” etc. This indicates a mass email campaign in which the attacker has a purpose-built template, altering a few variables such as “ID” and “email address.” Figure 1 showcases the Microsoft brand in a bid to deceive the recipient.

The static IP addresses allow for a high degree of signature-based detection efficacy, which is a bonus for the defending side. These static IP sending addresses can be blocked by the end-point detection team.

However, the sender address in this case is generated dynamically on the fly as the phish is sent. This has a detrimental effect on the ability to block based on sender, alone. In this instance, focusing on the static elements of this particular phishing attempt is the best course of action for preventing an attack of this kind from reaching the end user.

Threat actors sometimes use legitimate but compromised top level domain (TLD) names to send out such phishing emails. Searching the TLD via open-source intelligence (OSINT) led us to a legitimate software company based in the United States that was registered online in 1998. But the display name has been spoofed, “Authentication Support,” socially engineering the recipient to think it’s from a trusted source.

 

Figure 2: Phishing landing page

 

Had Rohyt clicked on the “keep same Password” hyperlink in Figure 1, he would have been redirected to a fake Microsoft login page. The image above in Figure 2 is what he’d see. It looks perfectly legitimate with all functionalities a legitimate Microsoft login page would have. If Rohyt had provided his credential, the web page would have redirected seamlessly to the legitimate Microsoft login page, thereby deflecting suspicion.

Figure 3: Legitimate Microsoft loading page

 

We’ve noticed similar phishing attempts. Threat actors will redirect the victim to the blue envelope image in Figure 3 immediately after their credentials have been provided. This is done so the recipient is led to believe their mailbox is loading.

 

Figure 4: Legitimate Microsoft login page

Malicious emails like this are an ever-increasing phenomenon in business environments today and it’s imperative for companies to have a procedure in place to deal with these threats. Corporate credentials are a red-hot target for attackers. That’s why they use this approach. They pose as a service employees trust and use routinely to rope in as many victims as possible. With Cofense tools and services, malicious emails can be identified, and indicators of compromise (IOC)’s given and shared. Organizations can be confident that campaigns like this will be thwarted. Find out what we can do for your enterprise. Contact us today.

 

Indicators of Compromise IP
hXXp://e[.]q[.]sealvetrisrl[.]it 46[.]16[.]91[.]69
hXXps://versed-hexagonal-rake[.]glitch[.]me/ohk.html 50[.]19[.]254[.]224

35[.]172[.]196[.]51

52[.]200[.]40[.]111

18[.]210[.]105[.]246

34[.]229[.]4[.]215

54[.]205[.]166[.]180

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishing Campaign Utilizes DocuSign to Counter Security Controls

By Cobi Aloia, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) continues to see phish exploiting DocuSign to leverage vulnerabilities in traditional security technologies. The problem with using secure email gateways to mitigate threats hidden in domains such as DocuSign is that the domains are considered safe and are, therefore, not flagged as being malicious. This brings up further cause for concern as many employees also recognize DocuSign as being a trustworthy platform (and they would be right) but threat actors are stealthily utilizing this service as a means for delivering phish. The PDC has observed approximately 200 unique phish taking advantage of DocuSign for malicious links, with at least half of those including phishing pages hosted on the domain “glitch[.]me.” In addition, the PDC has seen similar phishing links on numerous other e-signature platforms such as Adobe, PandaDoc, PdfFiller and more. It’s an issue, and a relevant factor, vis-a-vis threat mitigation and deterrence.

Graphical user interface, application Description automatically generated

Figure 1: Email Body

Seen in Figure 1, the body of this email appears to be legitimate since the threat actor used the automated email service offered by DocuSign, which employees may see on a day-to-day basis. Because the email is from DocuSign with a DocuSign “from” address, the threat actor does not need to leverage obfuscation or spoofing techniques. This is consistent with other DocuSign-branded phishing emails observed by the PDC. In the message for the document being sent, the threat actor has appeared to spoof a legitimate company and its owner while also leveraging the recipient company’s brand. By doing so, the email seems less suspicious and therefore more likely to be opened.