By Nathaniel Sagibanda, Cofense Phishing Defence Center

The Cofense Phishing Defense Center (PDC) has observed a credential phishing trend whereby threat actors are sending out several emails to employees with nothing more than an HTML  attachment and subject lineOfficeDoc – Important Business/Work Guide. As organizations are planning for return-to-work procedures, threat actors are leveraging this theme to increase the likelihood of user interaction with the attachment. 

 Security protocols such as secure email gateways (SEGs) have a tough time stopping such malicious emails because the HTML attachment discreetly hides the malicious URL. The threat actor uses popular and trusted cloud-based SMTP relay – SendGrid – to release their campaign. 

Figure 1 – Email Body  

Once the attachment has been opened, it redirects the user to a Microsoft SharePoint webpage with a OneDrive banner, as shown below in Figure 2.
 

Figure 2 – Initial Redirect (Phishing landing page) 

The URL is not evident within the address bar of the web application. The webpage contains a convincing looking PDF file named New Era in Customer Engagement.pdf,” which has options to either view or download. Upon further inspection, we note that both options lead to the same outcome – pop-up sign-in page appears. The threat actor has even gone to the effort of including a secure message: Data Encryption Enabled in a bid to socially engineer the user into thinking they are being authenticated legitimately.  

 

Figure 3 – Second Redirect (Phishing landing page) 

Furthermore, additional security phrases, such as Required for end-to-end encryption, display. Once the user has entered their password, a loading page appears that acts as though a secure connection has been establishing. This is shown in Figure 4. Should the user login with their actual credentials then, unfortunately, their data is exfiltrated to the threat actor.

Figure 4 – Loading Page  

Finally, the last stage of this campaign redirects the user to a random PDF document shown in Figure 5. common tactic used by threat actors to divert attention and suspicion from malicious activity is to provide the document referenced in an earlier stepThe content of the document doesn’t correspond to the attachment name, which is “Productivity Enhancing Guidance.” 

Figure 5 – Redirect   

This campaign showcases the fact that threat actors are constantly innovating and trying to improve on their techniques to trick users while bypassing existing security protocols to steal credentials. These attachment emails are hard to stop by security protocols such as SEGs, and they force the user to click on the attachment to learn more. A well-conditioned user alerted us to this campaign upon recognizing suspicious elements of the phishing email. They used Cofense Reporter to quickly send it to us for evaluation and remediation 

Indicators of Compromise    IP 
Hxxps[:]//winsoftsolutions[.]xyz/369065cp065cps036ess/  104[.]168[.]145[.]194 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.