By Kian Mahdavi, Cofense Phishing Defense Center
It’s no secret that Microsoft dominates the market with its popular services such as SharePoint, OneDrive, Outlook, etc. The temptation for cyber criminals to spoof and exploit these services is on the rise and is at its highest point yet. Many office workers continue to telework, which paves the way for cyber criminals to release even more, and sneakier, phishing attacks.
The Phishing Defense Center (PDC) has uncovered a variation as threat actors attempt to harvest and exploit innocent recipients’ data. We have previously uncovered numerous rounds of the Microsoft invoice-themed email; however, this time there’s a slight change: “Business Basic is expired.” We haven’t seen this one before.
Figure 1: Email Body
The body of the email in Figure 1 begins to explain that Microsoft service has expired; in this case, it’s their “Business Basic package.” Note that there’s no opening message — “good morning” or “hello,” giving us a strong indication that this is a mass-spread phishing email intended to extract as much personal data as possible.
We note in Figure 2 the evident mismatch between both sections of the top-level domain (TLD) “transmartinbr[.]mail[.]onmicrosoft[.]com,” with the first half not relating to the all-important “Microsoft” reference. This raises red flags. Then the end of the TLD contains the phrase “onmicrosoft,” which could lure curious users.
One may ask, “Was I subscribed to a Business Basic service?” and “Am I expecting to receive an invoice from this sender?”
The threat actor did take the time to ensure their campaign was as similar to Microsoft- themed emails as possible. Indicators that we noted were similar font size and color, the “unsubscribe” option, the “View this email in your browser” toward the top and, lastly, a hyperlinked reminder to learn more about “privacy” near the bottom of the email. All of this boosts the campaign’s credibility.
Figure 2: Phishing Landing Page
Should users click the fake “service portal” link, they would be redirected to a Microsoft phishing site hosted on a compromised Serbian news site. This is a worrying yet effective practice that attackers use to create phishing sites.
hXXps://www[.]sipovo[.]net/mylicence/access[.]php
Once credentials have been supplied, the campaign redirects the user to the authentic “office[.]com” displayed in Figure 3. This may even be enough to trick users into believing it was a genuine transaction. Victims of this phishing attack could unfortunately be at the mercy of the threat actor.
Figure 3: Legitimate Office Page
There’s an abundance of bot-driven phishing attacks; however, behind every phishing attack is a threat actor. Likewise, behind extensive automation lies human intelligence.
At Cofense, we leverage the human factor to deliver a highly effective defense against phishing attacks, underpinned by our global network of nearly 30 million active reporters. With the combination of artificial and human intelligence, Cofense enables enterprises worldwide to eliminate phishing attacks, often before they’re even reported. Contact us to learn how we can help your business.
Indicators of compromise
Network IOC | IP |
hXXps://www[.]sipovo[.]net/mylicence/access[.]php | 192[.]185[.]116[.]181 |