Cofense Email Security

False Payment Promises Lead To Microsoft Credential Phish

Microsoft ATP

Microsoft EOPBy Nathaniel Sagibanda, Cofense Phishing Defense Center

Threat actors use monetization schemes or fake payment promises to lure users and harvest credentials. The Cofense Phishing Defense Center (PDC) has observed a phishing campaign imitating a well-known banking service, releasing fake remittance payment documents, in a bid to exfiltrate users’ personal data.

Figure 1 showcases the email from the “Director of Finance” along with a “Scheduled Wire Remittance Payment” in the form of a PDF attachment; this is the first stage within the attackers’ intrusion.

Hovering over the “Print Document” displays a link that fails to show even the slightest correlation with the intended bank. Typically the bank’s name would be embedded within the URL. However, this phishing campaign fails to do so. This demonstrates the importance of organizations providing education and training support, ensuring that a red flag would be recognized.Graphical user interface, text, application, email Description automatically generated

Figure 1 – Email

As we dive deeper, we noted the recipient’s name was not included. Instead a generic “Hello” had been supplied giving us a strong indication that this is a mass-spread phishing campaign. Furtheremore, the threat actor/s included the following phrases: “decommission the encryption tool,” “document needs to be access within 90 days from the date of the email,” “Email Security Powered by,” and “Copyright 2021” in the footer of the email. These examples are known as social engineering tactics used to gain the user’s trust, create urgency and exert pressure using high-level email security practices and deadline requirements.

Graphical user interface Description automatically generated

Figure 2 – Landing page

On accessing the embedded link, the recipient would be redirected to a cloned Microsoft login page showcased in Figure 2. On further inspection, there is a clear mismatch with Microsoft’s genuine URL.

Should users enter their credentials, the campaign then redirects to Google’s home page. As mentioned in previous blogs, similar campigns usually redirect the user to the legitimate Office[.]com webpage to construct a “genuine” experience. This may have been a mistake by the threat actor.
A screenshot of a computer Description automatically generated

Figure 3 – Redirect post login

Leveraging a legitimate business process makes the user more likely to act on it unless they’re paying keen attention to the details. Threat actors use these kinds of psychological, personlized funds-related tactics to send out attacks. Although this is one of the commonly-used tricks for phishing, it still works to lure the user.

With campaigns like this, that are routinely reported to Cofense PDC by well-conditioned users, it helps to understand trends and tactics of attacks. Well-conditioned users are in a better position to recognize these emails to stop the attack. We help businesses cut through the noise to catch and contain phish. Contact us today to find out how. We’re here to help.

Indicators of CompromiseIP
hXXp://case029g[.]funnelmaker[.]com/209[.]216[.]247[.]83
209[.]216[.]247[.]82
hxxps://chase2742668f8s60s60storageiwfw9s79sd97sdt9dssverv[.]s3[.]ca-tor[.]cloud-object-storage[.]appdomain[.]cloud/2922397297_29329729279379_28ssdushsysiyis[.]html163[.]66[.]118[.]49
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Share This Article
Facebook
Twitter
LinkedIn