By Kyle Duncan, Cofense Phishing Defense Center
There will always be a document to sign or a file to share. With the pandemic still raging and employees resorting to a work-from-home lifestyle, file shares provide a reasonably safe and effective way to get a document from one person to another. Threat actors have taken notice, as seen by the Cofense Phishing Defense Center with the discovery of fraudulent file-share emails to deceive users. In this campaign, the threat actor has taken steps to appear as a trusted contact.
Figure 1: Email Body
The email seen in Figure 1 originated from a compromised account. Judging from the domain of the email, the user, “Harvey,” is in the same career field as the recipient. Presumably the threat actor sent this phish email to contacts in the compromised user’s account. Sending malicious emails to contacts through a compromised account allows the threat actor to abuse contacts’ trust while bypassing SPF and/or DKIM checks. These counter address spoofing but not a compromised account, as is the case here.
The email body is typical of any other file-share email. Under the file-share box is the contact detail information for the compromised user, including their name, role, phone number and a confidentiality notice to lend legitimacy to the email.
Hovering over the “View Shared Documents” button in the email shows that the intended destination is to a Piktochart presentation. However, this is not an original tactic. In fact, the use of third-party hosting sites such as Piktochart to host malicious pages has become increasingly common as the services are generally free and are rarely blocked by SEGs.
Figure 2: Phishing Page
When the link is clicked, users are redirected to the Piktochart presentation seen in Figure 2. On this page is another declaration of the compromised user’s company sharing a secured document followed by a reiteration of the name, title, and contact information of the sender seen in the email previously. Notably there is a discrepancy between the name of the person who published this Piktochart document and the name of the sender – a loose end the threat actor seems to have overlooked.
Hovering over the PDF icon reveals the destination address:
hXXps://buiewrsd[.]tk/%23%24%25%5E%26
Figure 3: Phishing Page
The user is then directed to a fake Atlassian login page, seen in Figure 3. This page shares many similarities to a legitimate Atlassian login; however it lacks many of the customer service links one could find on the legitimate page. Once here, users are prompted to select an email provider to sign in with to view their files.
Figure 4: Phishing Page
After choosing which account to login with, the user is taken to a page corresponding to that brand as shown in Figure 4. Once a user has input their credentials, they are then sent to the Microsoft Office homepage. This is likely an attempt by the threat actor to make the user think there was simply an error and overlook the fact that they’ve entered details into a phishing site.
As always, threat actors will stop at nothing to gain a user’s trust and, in turn, use that trust to lead them to malicious links and/or files. In this case, the threat actor compromised a user in the same field as the recipient and utilized the trust between the two contacts as a means of delivering their attack successfully.
With Cofense Managed Phishing and Defense, provided through our Phishing Defense Center (PDC), enterprises benefit from our complete view of real phish. Contacts won’t be judged based on whether it is a “trusted” or “known” contact but rather the content of the email and whether there was malicious intent. This is why, in five years, no customer using the Cofense PDC has experienced a breach resulting from a phishing attack.
We’re here to help. To learn more about our phishing-detection-and-response track record, reach out any time.
Indicators of Compromise | IP |
hXXps://buiewrsd[.]tk/%23%24%25%5E%26 | 209.141.60.237 |