IT Support Lures Users into Mimecast Phish

By Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has intercepted a new phishing technique that uses information technology (IT) support-themed emails to get users to enter their old password. It’s common practice within industries to deploy a reset password communication from IT support for essential purposes such as hardening the employee’s email security. In countless situations, the more legitimate the email appears, the more likely the threat actor will succeed with the intrusion. Why? Because individuals would not be compelled to question the people in charge of the company’s confidentiality, integrity and security. They are considered authorities.

This report showcases an email that prompts the user to update their soon-to-be expired password. The first red flag is the newly created domain name that’s only a few months old, as of this writing. In this case, the address “realfruitpowernepal[.]com” is similar to an organization’s internal IT department, yet further analysis of the domain leads to a free web design platform. The opening of the email doesn’t contain phrases such as “Good Morning” or “Dear…”, possibly indicating this is a mass-email attack, which most probably had been accomplished via a purpose-built script.

Figure 1: Email body

When the recipient hovers over the “Continue” button, a Mimecast reference appears, along with the now redacted user email address toward the end of the URL. This might not raise suspicion as the correct spelling and naming function was used, which directs user to the next stage of the attack.

Figure 2: Mimecast security

Upon clicking the link, the user would be taken to a Mimecast web security portal that asks whether they want to block the malicious link or ignore it. This method of security services is very effective.

Figure 3: Security portal

Clicking on either “It’s Safe” or “It’s Harmful” led to the same result, which loads the page seen in Figure 4. This page gives the final confirmation about continuing.

The attack is initiated via a counterfeit Mimecast page that prompts the user to enter their email address to reset their password. After clicking on the “Continue to Page” evident above in Figure 3, the user would be redirected to the phishing landing page that displays the session as expired, as shown in Figure 4.

We assumed the goal was to make the phishing landing page appear identical to the legitimate Mimecast site. However, during our investigation, we discovered that the URL provided does not match the authentic Mimecast URL and the footer detail is missing, as shown in Figure 4.

Phishing URL: hXXps://hiudgntxrg[.]web[.]app/#

Legitimate link: https://login[.]mimecast[.]com/u/login/?gta=apps#/login

Figure 4: Phishing landing page

 

Figure 5: Legitimate page

Whether the user provided their true login credentials or a random string of credentials, they would be automatically redirected to the page within Figure 5 displaying a successful login message. This is yet another technique used to boost the appearance of authenticity and protection by “Mimecast.”

In conclusion, this attempted intrusion demonstrates the complexity of phishing attacks that utilize the power of social engineering. Cofense is here to help with our analysts and technology to enable customers to quickly identify validated or newly observed threats. We have the necessary products to help your SOC team quickly identify threats to reduce risk and further leverage the IOCs to mitigate a potential incident.

 

Indicators of Compromise IP
hXXp://aznyibe[.]creedidory[.]com/# 162[.]0[.]217[.]31

 

hXXps://hiudgntxrg[.]web[.]app/# 199[.]36[.]158[.]100

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Updates to Cofense Vision Enable Operators to Squeeze More Value Out of Intelligence with Wildcard Matching and UX Improvements

By Megan Horner, Sr. Product Marketing Manager

“The average click rate for credential phishing simulations in PhishMe customers in 2020 is 10.7%—meaning that during a real attack, almost 11 users out of 100 will likely click on the phish, potentially leading to compromise of their corporate credentials. The longer a malicious email stays in the inbox, the greater the chance of an erroneous click.” – Cofense 2021 Annual State of Phishing Report

What if you could automatically quarantine emails before they are even opened? By using both internal and external sources of threat data, Cofense Vision makes this a reality.

Security teams all over the world trust Vision to help protect their employees’ inboxes and that trust drives our focus on continuous product improvement. The latest improvements are now available in Vision 2.1.

Cofense Vision 2.1 introduces the following enhancements and benefits:

  • Automated IOC Wildcard Matching exponentially increases the visibility a URL from Cofense Intelligence provides
  • User experience improvements simplify the investigative and system management processes

Increase efficacy of your security program by staying ahead of dynamically changing IOCs

IOCs (indicators of compromise) are flags that help analysts understand that something nefarious is going on. Thanks to modern tools, the IOCs being used by attackers are extremely dynamic in nature – always evolving ever so slightly to evade detection.

To keep up with these slight changes that may have gone undetected before, we have introduced automated IOC Wildcard Matching to URLs shared from Cofense Intelligence to Vision. Intelligence teams can identify URLs that contain similar variable information and push the URLs to Vision for automated quarantine of associated emails. Now, each URL provides more value than before leading to an expected two-fold to ten-fold increase in the related IOCs being processed with Vision AutoQuarantine.

Traditionally, this process of identifying a URL as an IOC, completing a wildcard match exercise, and porting it to your security solution of choice for blocking has been very manual and disjointed. Vision automates this workflow behind the scenes, completing a process that previously took hours in just seconds.

Not familiar with IOC Wildcard Matching?

Let’s break this down. As an example, let’s say Cofense Intelligence has identified an attack that directs users to https://baddomain.com/thisisreallybad. With IOC Wildcard Matching, Cofense Intelligence applies a wildcard at the end of the URL making it possible to also match and AutoQuarantine the following URLs as well:

– https://baddomain.com/thisisreallybad/malware
– https://baddomain.com/thisisreallybad/credphish
– https://baddomain.com/thisisreallybad/spyware

Stop exponentially more threats by using Vision Wildcard Matching and AutoQuarantine to remove malicious emails from employee inboxes before they can cause issues.

Improvements in user experience with navigation and reporting enhancements

In the world of security, few things are worse than a technology solution with a user interface that is difficult to navigate. With our own team of Vision operators in the Cofense PDC (Phishing Defense Center), we appreciate that just as much as other security professionals. A continued focus on user experience has led us to the development of four new components to the Vision user interface. Each aspect was purpose-built to increase efficiency by minimizing the clicks required to take a desired action within the UI.

Now, Vision operators can:

  • Download logs directly from the dashboard for more visibility into usage and easier troubleshooting
  • Get more IOCs into Vision with the ability to manually import via an easy-to-use form

Figure 1: Simple-to-Use Form Makes Adding IOCs on the Fly a Breeze

  • Access recent searches right from the main navigation to quickly pick up where they left off