By Adam Martin, Phishing Defense Centre

Secure email gateways (SEGs) often provide end users with a sense of safety from phishing and other malicious attacks delivered via email. This, however, can provide a false sense of confidence when interacting with notifications and alerts from phishing emails spoofing SEGs. The traditional tactic of employing a sense of urgency is generally the flavor of choice for threat actors in the form of disk space being full, invoices, etc. The objective is to draw the user into making rash decisions based on a fear of either data or monetary loss.

The initial link presented to the user takes advantage of the Google redirect feature using the following link:

hXXps://www.google.com/url?q=hXXps://d5e5ecb84884425f98768108f081a87a[.]svc[.]=dynamics.com/t/r/X-fsqjgi42gdMDDZPkaz34T9oWvCL2u-hDs3ZwpUAU8%23%5BTO-EMAIL%5D:0002%3D12900&source=gmail&ust=1619610429283000&usg=AFQjCNEmWYNQmZ0Z4zu-VBTknQpuRd3ZaQ.

Which will redirect the user to a malicious landing page. Which is designed to increase user confidence given the redirect is performed by Google. As illustrated in Figure 1, immediately attention is elicited by the email subject. Regardless of the keen eye evaluating a mailbox, the “WARNING” logo elicits concern from even the most experienced. This phishing tactic is a staple of malicious emails. In this case, Mimecast has been spoofed.

Graphical user interface, text, application, email Description automatically generated

Figure 1: Email body

Phishing emails that mention the target’s name are often more successful. The email body employs numerous tactics designed to be a double-edged sword. On one side the initial “shock” factor has been created and, on the other, an element of trust has been applied. The user’s name, along with specific reference to the percentage of memory remaining makes for a perfect match when stealing credentials. The other element, which is worth noting, is the fact that the threat actor has gone to the effort of giving the option of disabling the notification, seen in Figure 2. Although it is fraudulent, it provides another layer of confidence for the end user.

Graphical user interface, website Description automatically generated

Figure 2: Fraudulent Landing Page

Accessing the link in the email body will lead to a convincing landing page that mimes the Mimecast login page to a high degree of accuracy. The end user is prompted to enter their password as a server error has occurred. As seen in Figure 2, the base URL is indeed not the Mimecast domain. This base URL is also new, which merits alarm as an established SEG would have a cleaner URL.

Once credentials are input into the site, the data is exfiltrated to the external private server. The login page simply refreshes in a loop regardless of the amount of login attempts.

Unfortunately, as is the case with many privately hosted malicious servers/sites, they are taken down as fast as they pop up. As shown in Figure 3, a 403 error has occurred restricting access to the resource.

Figure 3: Network access attempt

Campaigns that seek the employ the guise of a SEG are often part of a targeted attack on a given company. Prior knowledge of the SEG in use can be attained via social engineering and OSINT. Constant updating of safe lists and ACLs on the firewall side of security management, along with end user training, continue to be the most effective means of avoiding account compromise.

Cofense can assist with these protections. Our Phishing Detection and Response platform comprehensively contains the phishing threats that bypass traditional email security. Cofense delivers the technology and advanced insight needed to rapidly detect, analyze and auto-quarantine phishing attacks. Contact us to learn more.

 

Indicators of Compromise IP
hXXps://1df493b81f7f45e68407442811a516e5[.]svc.dynamics.com/t/r/  hXXp://52[.]183[.]87[.]159/
hXXps://d5e5ecb84884425f98768108f081a87a[.]svc[.]dynamics[.]com/t/r/X-fsqjgi42gdMDDZPkaz34T9oWvCL2u-hDs3ZwpUAU8#[TO-EMAIL]:0002=12900 hXXp://52[.]183[.]87[.]159/
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 
  The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.