Figure 1: Initial EmailWhen we read the content in the email it is professionally presented. The threat actor has purposely used generic language across the mail such as “Dear Colleagues” “Human Resources” and a lack of company logos. They also used “COVID-19 Positive Case-IMPORTANT” as the subject to grab attention. All these tactics are used to convince the employee it’s a legitimate mail. This also indicates it is a mass email campaign sent to various companies as with generic language it doesn’t need to be tailored to each company. Once you click the link, you’re taken to a Typeform page that prompt’s the user for their email as seen in figure 2. Typeform is used for online form building and surveys. Threat actors use these sites a lot as they can easily setup a phishing form quickly.
Figure 2: Initial Phishing Landing PageOnce their email address is submitted, they’re then prompted for their password as seen in figure 3.
Figure 3: Password Entry FormThe PDC also observed another COVID-19 related phishing campaign from the same sender asking the user to update their vaccination status. Instead of Typeform, the threat actor used Wufoo, another online form builder to phish the user’s information as seen in figure 4. However, this has been taken down.
Figure 4: Second Phishing Campaign
Figure 5: Fake Covid-19 PolicyIf an employee was to fall for this phish the web page would redirect seamlessly to a compromised SharePoint hosting a fake COVID-19 policy as seen in figure 5, thereby deflecting suspicion. We’ve noticed with various types of phishing attempts that threat actors will redirect to seemingly non-malicious pages after the user has entered their details, sometimes the redirect pages are legitimate sites such as Microsoft’s. For end-point teams under certain specific circumstances the blocking of a malicious sender address may be void. This would be the case with this sender address as the sender has been compromised and will need continued communication once their account has been secured.
|Indicators of Compromise (IOCs)||IP|