About Cofense
About Cofense
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

IT Support Lures Users into Mimecast Phish

By Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has intercepted a new phishing technique that uses information technology (IT) support-themed emails to get users to enter their old password. It’s common practice within industries to deploy a reset password communication from IT support for essential purposes such as hardening the employee’s email security. In countless situations, the more legitimate the email appears, the more likely the threat actor will succeed with the intrusion. Why? Because individuals would not be compelled to question the people in charge of the company’s confidentiality, integrity and security. They are considered authorities.

This report showcases an email that prompts the user to update their soon-to-be expired password. The first red flag is the newly created domain name that’s only a few months old, as of this writing. In this case, the address “realfruitpowernepal[.]com” is similar to an organization’s internal IT department, yet further analysis of the domain leads to a free web design platform. The opening of the email doesn’t contain phrases such as “Good Morning” or “Dear…”, possibly indicating this is a mass-email attack, which most probably had been accomplished via a purpose-built script.

Figure 1: Email body

When the recipient hovers over the “Continue” button, a Mimecast reference appears, along with the now redacted user email address toward the end of the URL. This might not raise suspicion as the correct spelling and naming function was used, which directs user to the next stage of the attack.

Figure 2: Mimecast security

Upon clicking the link, the user would be taken to a Mimecast web security portal that asks whether they want to block the malicious link or ignore it. This method of security services is very effective.

Figure 3: Security portal

Clicking on either “It’s Safe” or “It’s Harmful” led to the same result, which loads the page seen in Figure 4. This page gives the final confirmation about continuing.

Secure gateways miss phish; find out which ones fail, and how.

The attack is initiated via a counterfeit Mimecast page that prompts the user to enter their email address to reset their password. After clicking on the “Continue to Page” evident above in Figure 3, the user would be redirected to the phishing landing page that displays the session as expired, as shown in Figure 4.

We assumed the goal was to make the phishing landing page appear identical to the legitimate Mimecast site. However, during our investigation, we discovered that the URL provided does not match the authentic Mimecast URL and the footer detail is missing, as shown in Figure 4.

Phishing URL: hXXps://hiudgntxrg[.]web[.]app/#

Legitimate link: https://login[.]mimecast[.]com/u/login/?gta=apps#/login

Figure 4: Phishing landing page