Figure 1: Email BodyThe “From” address in Figure 2 uses a well-known fragrance company’s spoofed domain with an IP address of 40[.]107[.]220[.]139. Most likely for this reason, the email slipped past basic authentication checks, such as the sender policy framework (SPF). However, on further inspection, we see what is likely the actual sender’s address “Return-Path” from a compromised domain registered to a U.S. law firm, with an IP address of 10[.]217[.]135[.]43. Attributes such as email address can be unreliable as indicators of compromise (IOCs) when creating Yara rules. Why? Because they are often quickly changed and have very brief time-to-live (TTL) periods. Strong IOCs identify repetitions and meaningful patterns, resulting in higher quality Yara rules and a lengthier period for tagging threats.
Figure 2: Header AnalysisFigure 1 shows the email body, which was found in environments protected by several secure email gateways (SEGs). We noted that the spoofed sender’s address remained static across the campaign, allowing for a high degree of signature-based detection efficacy. A bonus for defenders, this static sender address can be blocked by the endpoint detection team or even the SEG. Threat actors sometimes use legitimate but compromised domain names to send out such phishing emails. Pivoting the domain led us to a legitimate law firm based in the United States that was registered in February 2015. The longer a domain has been registered, the greater the chance the domain will be recognized as non-malicious. This may be a preferable approach for the adversary versus registering a new domain for the purpose of sending out credential phishing emails. That is not to say that the characteristic of being newly registered makes a malicious domain easily identifiable. Instead, it’s a combination of suspicious attributes that raises red flags.
Figure 3: Phishing Landing PageThe image in Figure 3 is what the recipient would see. It looks perfectly legitimate with all functionalities a legitimate Microsoft login page would have. At this stage, we have high confidence to state that the threat actor’s objective was to gain as many users’ credentials as possible at a given period of time. Should the recipient provide their credentials, the web page would redirect seamlessly to the legitimate Microsoft login page, thereby deflecting suspicion.
How Cofense Can HelpEvery day, the Cofense PDC analyzes phishing emails with credential phishing attacks and malware payloads that bypassed email gateways and were reported by well-conditioned users. Of the threats found, 100 percent were identified by the end user and mitigated by a human analyst. None were stopped by the endpoint detection technology. Thanks to phishing training, users have the know-how to look out for evolving phishing attacks. Using Cofense Reporter, they can forward threats to the Cofense PDC for analysis. Cofense Triage reduces real-time exposure to threats, and combines with Cofense Vision to quarantine them. Cofense Intelligence then protects your organization against emerging threats. Cofense Intelligence customers received additional information about this specific campaign in Active Threat Report (ATR) 222896. To learn more about what Cofense can do to protect your enterprise, contact us any time.
Indicators of Compromise