By Josh Varden and Cobi Aloia, Cofense Phishing Defense Center
Recently, the Cofense Phishing Defense Center (PDC) has seen an increase in malicious emails utilizing legitimate third-party business software to evade detection while maintaining a high level of deception. In this instance, the collaboration and project management platform Atlassian is being used to host malicious content via their domain, in a technique often referred to as domain or platform abuse. In this blog, we will discuss the ins and outs of how threat actors lure victims into using these techniques and aim to steal their credentials to access critical employee information and business infrastructure.
Recent Data from the PDC has shown multiple examples of threat actors using trusted company domains to hide malicious content within forms, pages, URLs, etc. Some of these include Canva, SharePoint, and DocuSign. Atlassian’s software, Confluence, is being abused by threat actors to leverage a false sense of security by using the company’s reputable presence as a trusted domain within the corporate space.
Figure 1: Email Body
The body of the email remains cut and dry, asking the recipient to review an attached document emailed on a specific date. Attached is a Microsoft Excel document claiming to be from a potential business partner. This directly relates to the subject of the email citing a proposal, making it seem more likely that this is a legitimate attachment. Other notable items in the body of the email include social media URLs that lead to the potential partner’s Facebook page, Instagram, LinkedIn, and X profiles. These links, as well as the aforementioned branding of the email, help enforce a deceptive narrative that this email is from a real prospect and thus, trustworthy.
The email uses social engineering tactics to urge the recipient to click on the attachment in the message by asking them to “Please see attached.” There is a slight sense of urgency to the email by using the acronym “FYI” (for your information) in large, capitalized text. By also giving a date in the text body, it forces the user to decide whether to click on the included attachment or potentially frustrate a customer or vendor by not responding promptly.
Figure2: Attachment
The attachment for this email is an Excel file (.xls) that, upon opening, would present the user with a DocuSign branded image, displaying “You’ve received a document, review and sign.” Below the image is a hyperlink that reads, “REVIEW NEW DOCUMENT.” By clicking the hyperlink, the user is redirected to the Atlassian domain, where the threat actor leverages the Atlassian product Confluence – a wiki designed for corporations.
Figure 3: Phishing Page
Above in Figure 3 is the Confluence redirect page that the user is redirected to through the initial email’s Excel file. Exploiting the Atlassian domain, the threat actor is attempting to bypass SEGs (secure email gateways) or other email security measures that could block incoming threats. In this instance, and in many others, this tactic of using trusted domains to host malicious content was able to bypass the SEG and make it into the recipient's inbox. The bulk of the page includes a large title saying “New Bid Proposal Form” with a small description in all caps text underneath. Beneath this description is a hyperlink that reads “CLICK HERE TO ACCESS THE DOCUMENT,” containing the final redirect to the malicious phishing page. By clicking this hyperlink, the recipient is led to the page in the figure below.
Figure 4: Phishing Page
The user is redirected a final time to the actual phishing page boasting the well-known and ever-prevalent Microsoft branded sign-in form. The URL for this page uses the subdomain “office.atfxt.com” to further reinforce the deceptive idea that this is a legitimate Microsoft login. Once the user inputs their credentials into the sign-in form, their username and password will be exfiltrated via a POST request to the host domain “atfxt.com,” where the threat actor can view and use them to further exploit or compromise the user’s data and company infrastructure. Some examples of attacks that can be used with an employee’s compromised credentials include but are not limited to: Spear Phishing, Business Email Compromises, Account Takeover, Privilege Escalation, Malware Deployment, and Lateral Movement. These attacks can result in widespread compromise of company data as well as loss of assets and even risks compromising the third-party companies or vendors that may associate with the employee or their employer. Mitigating these attacks is crucial to enterprise security, as phishing emails are generally the first step within major attacks and account for 91% of data breaches within organizations (Deloitte).
Phishing attacks such as these utilize known trusted domains and deception to reach a targeted recipient. Taking control of a commonly known domain allowed threat actors to evade SEGs and other security measures, relying on an unsuspecting recipient trusting what should be a known URL vector. Cofense Managed Phishing Detection and Response, alongside our Phishing Defense Center (PDC), was able to identify and analyze this tactic, while SEGs and other security measures were bypassed. Reach out to our team of experts to learn more.
Indicators of Compromise | IP |
|---|---|
File Name: Kilgore Industries.xlsx |
|
hXXps://kilgoreind[.]atlassian[.]net/wiki/external/ZTRhODM1N2U5Mzk5NGJmY2FmZWQ4NjI3YTVhNzhhYzA | 104.192.142.19 |
hXXps://office[.]atfxt[.]com/common/oauth2/v2[.]0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=hXXps%3A%2F%2Fwww[.]office[.]com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20hXXps%3A%2F%2Fwww[.]office[.]com%2Fv2%2FOfficeHome[.]All&response_mode=form_post&nonce=638630591533111152[.]Yjc0ZWIxOGUtMzZlMS00ZjYxLWE5NzMtOGRhZjI5MmFkNjk5YzljZDBhNDEtMTQzNi00ZWU1LWE3MGUtMzViOWE3M2U3MGFm&ui_locales=en-US&mkt=en-US&client-request-id=2520dd33-9c6a-4ab9-b7db-54edf4ce3dad&state=CxgsacqzGvRaN8zwAstYXgKUFjO8Vq97-Vl8Iy7bhYl_k0kCjRhhf_LJLPpO-z9e3mIVZGCegO00zMWHxSDb121MuJ7YZx7E6-q4Uf0moWf6cwa93wreEdtU6R939FyHB2C6GhtUHYC2JHPgu8-Wdu06tHTfjdT8G5--nEXQ68WEe5CxVQJOGC0y9PjToPNrNnXboTYF4vePQt2CYVywNPq2fv4iDbMzXsX1EKxBUdlDGBlUu6rviZA5hXZd1a6aAjYf-_7zAsm9tLxewstdZw&x-client-SKU=ID_NET8_0&x-client-ver=7[.]5[.]1[.]0 | 82.180.130.33 |
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.