By Jer O’Donovan and Anthony Wright, Cofense Phishing Defense Center
Employees tend to be bombarded with business communication emails: Microsoft teams messages, internal policy updates, deadline reminders, and more. Leveraging loud inboxes, threat actors broadcast malicious emails in a bid to harvest employees’ credentials by blending in with the noise.
The Cofense Phishing Defense Center (PDC) has observed a phishing campaign whereby threat actors impersonate popular brands such as Microsoft and claim “the password for ‘…’ will expire today” as noted below in Figure 1. The image below showcases this phishing attack that even targeted our CEO, Rohyt Belani.
Naturally, Rohyt reported this campaign to the PDC via the Cofense Reporter button, allowing the PDC to investigate, remediate and respond back in around 60 seconds.
Figure 1: Initial Email
This attack preys on companies’ password policies. This could include changing passwords every 30 days or having a minimum character requirement. Employees may get legitimate monthly reminders asking them to update their password as it’s expiring soon. As a result, an employee may see this phishing attack and think nothing of it, then begin to engage with the fake request thinking they’re updating their password as they’ve done so legitimately in the past.
The text within the subject line in Figure 1, “Authentication Support,” implies that it’s originated from the authentic IT department, again, trying to appear legitimate.
There are no introductory phrases such as “Dear,” “Good Morning,” “Hello,” etc. This indicates a mass email campaign in which the attacker has a purpose-built template, altering a few variables such as “ID” and “email address.” Figure 1 showcases the Microsoft brand in a bid to deceive the recipient.
The static IP addresses allow for a high degree of signature-based detection efficacy, which is a bonus for the defending side. These static IP sending addresses can be blocked by the end-point detection team.
However, the sender address in this case is generated dynamically on the fly as the phish is sent. This has a detrimental effect on the ability to block based on sender, alone. In this instance, focusing on the static elements of this particular phishing attempt is the best course of action for preventing an attack of this kind from reaching the end user.
Threat actors sometimes use legitimate but compromised top level domain (TLD) names to send out such phishing emails. Searching the TLD via open-source intelligence (OSINT) led us to a legitimate software company based in the United States that was registered online in 1998. But the display name has been spoofed, “Authentication Support,” socially engineering the recipient to think it’s from a trusted source.
Figure 2: Phishing landing page
Had Rohyt clicked on the “keep same Password” hyperlink in Figure 1, he would have been redirected to a fake Microsoft login page. The image above in Figure 2 is what he’d see. It looks perfectly legitimate with all functionalities a legitimate Microsoft login page would have. If Rohyt had provided his credential, the web page would have redirected seamlessly to the legitimate Microsoft login page, thereby deflecting suspicion.
Figure 3: Legitimate Microsoft loading page
We’ve noticed similar phishing attempts. Threat actors will redirect the victim to the blue envelope image in Figure 3 immediately after their credentials have been provided. This is done so the recipient is led to believe their mailbox is loading.
Figure 4: Legitimate Microsoft login page
Malicious emails like this are an ever-increasing phenomenon in business environments today and it’s imperative for companies to have a procedure in place to deal with these threats. Corporate credentials are a red-hot target for attackers. That’s why they use this approach. They pose as a service employees trust and use routinely to rope in as many victims as possible. With Cofense tools and services, malicious emails can be identified, and indicators of compromise (IOC)’s given and shared. Organizations can be confident that campaigns like this will be thwarted. Find out what we can do for your enterprise. Contact us today.
|Indicators of Compromise||IP|
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.