By Kyle Duncan, Cofense Phishing Defense Center

There will always be a document to sign or a file to share. With the pandemic still raging and employees resorting to a work-from-home lifestyle, file shares provide a reasonably safe and effective way to get a document from one person to another. Threat actors have taken notice, as seen by the Cofense Phishing Defense Center with the discovery of fraudulent file-share emails to deceive users. In this campaign, the threat actor has taken steps to appear as a trusted contact.

Figure 1: Email Body

The email seen in Figure 1 originated from a compromised account. Judging from the domain of the email, the user, “Harvey,” is in the same career field as the recipient. Presumably the threat actor sent this phish email to contacts in the compromised user’s account. Sending malicious emails to contacts through a compromised account allows the threat actor to abuse contacts’ trust while bypassing SPF and/or DKIM checks. These counter address spoofing but not a compromised account, as is the case here.

The email body is typical of any other file-share email. Under the file-share box is the contact detail information for the compromised user, including their name, role, phone number and a confidentiality notice to lend legitimacy to the email.

Hovering over the “View Shared Documents” button in the email shows that the intended destination is to a Piktochart presentation. However, this is not an original tactic. In fact, the use of third-party hosting sites such as Piktochart to host malicious pages has become increasingly common as the services are generally free and are rarely blocked by SEGs.

Figure 2: Phishing Page

When the link is clicked, users are redirected to the Piktochart presentation seen in Figure 2. On this page is another declaration of the compromised user’s company sharing a secured document followed by a reiteration of the name, title, and contact information of the sender seen in the email previously. Notably there is a discrepancy between the name of the person who published this Piktochart document and the name of the sender – a loose end the threat actor seems to have overlooked.

Hovering over the PDF icon reveals the destination address:

hXXps://buiewrsd[.]tk/%23%24%25%5E%26