Exploiting the Current COVID-19 Health Crisis Through Multiple Email Providers

Microsoft ATP/EOP

Symantec

Proofpoint By Ala Dabat, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) team has seen the continued exploitation of the current COVID–19 health crisis as an effective attack vector across all industries. 

A common theme seen is the use of cloned Dropbox landing pages requesting that users log in via well-known email service providers in order to view “important” documentation relating to COVID–19. 

One such instance had escaped Proofpoint’s secure email gateway (SEG), having bypassed spam filtering due to the benign appearance of the email, and the lack of spammy characteristics. Also bypassed were Microsoft’s EOP and ATP. 

Figure 1 – Original body of the email urging the target to download urgent information relating to COVID–19      

The origin of the email appears to be a legitimate sender. It passed SPF checks, which also helped the email appear legitimate. It is likely that the campaign was launched from a compromised email account and that is why it was able to bypass SPF checks. Despite the message failing DKIM checks due to a difference of the value stored in the DKIM’s txt record bh=, it was not enough to raise any red flags because of the weighted system used to verify whether the email was malicious. 

As per the email headers we can see that the email did not contain enough spammy characteristics to meet the threshold required by Proofpoint’s Secure Email Gateway (SEG) to be categorised as being malicious.  

Figure 2 – Email originated from a legitimate sender and passed SPF record checks 

Microsoft’s EOP and ATP also miscategorized this email due to the lack of spammy characteristics and gave it a spam score of 0: 

Figure 3 – Microsoft EOP spam score of 0 

Once the target has clicked on the link, they are redirected to a landing page masquerading as Dropbox using original logos and fonts to fool the target.  

Figure 4 – a Dropbox themed landing page with convincing logos and fonts 

The target is then prompted to authenticate against several email service providers to access the document. This method of Phishing widens the net for the attacker to harvest more credentials. 

Figure 5 – Login page for Gmail 

Figure 6 - Fraudulent login page for Yahoo  

Once the target has entered their credentials using one of the login options, their credentials are sent to a database via HTTP POST to a PHP script, which then stores all the credentials that have been harvested by the attacker. Although this attack is not as technically sophisticated as other more targeted attacks, it exploits a number of key vulnerabilities:  

1. Exploits the COVID–19 pandemic 

1. Uses aesthetics that look and feel convincing to the target  

1. Bypasses spam filtering by limiting the characteristics of the email body that would be considered spammy by most spam filters

Once the target has entered their credentials, they are redirected to a legitimate landing page owned by Accenture, and then to a document that is completely unrelated to the COVID–19 crisis. 

Figure 7 – Landing page targets are redirected to after they authenticate  

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense^® and PhishMe^® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.