Microsoft ATP
Microsoft EOPBy Nathaniel Sagibanda, Cofense Phishing Defense Center
Threat actors use monetization schemes or fake payment promises to lure users and harvest credentials. The Cofense Phishing Defense Center (PDC) has observed a phishing campaign imitating a well-known banking service, releasing fake remittance payment documents, in a bid to exfiltrate users’ personal data.
Figure 1 showcases the email from the “Director of Finance” along with a “Scheduled Wire Remittance Payment” in the form of a PDF attachment; this is the first stage within the attackers’ intrusion.
Hovering over the “Print Document” displays a link that fails to show even the slightest correlation with the intended bank. Typically the bank’s name would be embedded within the URL. However, this phishing campaign fails to do so. This demonstrates the importance of organizations providing education and training support, ensuring that a red flag would be recognized.
Figure 1 – Email
As we dive deeper, we noted the recipient’s name was not included. Instead a generic “Hello” had been supplied giving us a strong indication that this is a mass-spread phishing campaign. Furtheremore, the threat actor/s included the following phrases: “decommission the encryption tool,” “document needs to be access within 90 days from the date of the email,” “Email Security Powered by,” and “Copyright 2021” in the footer of the email. These examples are known as social engineering tactics used to gain the user’s trust, create urgency and exert pressure using high-level email security practices and deadline requirements.
Figure 2 – Landing page
On accessing the embedded link, the recipient would be redirected to a cloned Microsoft login page showcased in Figure 2. On further inspection, there is a clear mismatch with Microsoft’s genuine URL.
Should users enter their credentials, the campaign then redirects to Google’s home page. As mentioned in previous blogs, similar campigns usually redirect the user to the legitimate Office[.]com webpage to construct a “genuine” experience. This may have been a mistake by the threat actor.
Figure 3 – Redirect post login
Leveraging a legitimate business process makes the user more likely to act on it unless they’re paying keen attention to the details. Threat actors use these kinds of psychological, personlized funds-related tactics to send out attacks. Although this is one of the commonly-used tricks for phishing, it still works to lure the user.
With campaigns like this, that are routinely reported to Cofense PDC by well-conditioned users, it helps to understand trends and tactics of attacks. Well-conditioned users are in a better position to recognize these emails to stop the attack. We help businesses cut through the noise to catch and contain phish. Contact us today to find out how. We’re here to help.
Indicators of Compromise | IP |
hXXp://case029g[.]funnelmaker[.]com/ | 209[.]216[.]247[.]83 209[.]216[.]247[.]82 |
hxxps://chase2742668f8s60s60storageiwfw9s79sd97sdt9dssverv[.]s3[.]ca-tor[.]cloud-object-storage[.]appdomain[.]cloud/2922397297_29329729279379_28ssdushsysiyis[.]html | 163[.]66[.]118[.]49 |