Password Expiry Phish are not Growing Old

Microsoft EOP Mimecast By Jake Longden, Cofense Phishing Defense Center

Password expiration (or “expiry”) emails are used by almost every organization on a regular basis as a resource to remind users that a change of password is necessary. Unfortunately, they are ideally suited for phishing attacks and represent a common tactic employed by threat actors seeking to obtain credentials.

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that harvests Adobe credentials by impersonating a password expiry email.

Figure 1: Sender Nickname

To add authenticity to the email, the threat actors have set the sender nickname to “Mail Administrator” and the subject line to “Password Expires Now” in an attempt to imitate the format of legitimate emails. At first glance, the recipient might think this reset is related to one of the Apple accounts. Password expiry emails will typically be sent out by organization IT teams via an email and can result in email/account access issues until the credentials are reset.

Figure 2: Email Body

The user then views an email deliberately designed by the threat actor to instill a sense of urgency and importance, namely that the user’s password has expired. Users are warned that, unless they wish to “Keep the same password,” the mailbox will be “closed automatically,” thus leaving the user without access to their mailbox. Furthermore, the threat actor has added the recipient’s email address to the body for a personal touch.

By impersonating such a serious email, the threat actor has exploited methods used in multiple phishing campaigns. They are designed to gain the user’s trust (by spoofing a trusted and expected sender nickname), and to preclude critical analysis of the email’s legitimacy via its gravity (account closure).

There are a couple of indicators within the message body itself however that suggest this is a spoofed email. There is an equals (=) character in the middle of the word “expires” in the first sentence, and another between the words “to” and “continue” in the second sentence. Additionally, next to the year 2021 at the end of the email, we find the characters “=A9.” While these could just be formatting issues from the threat actor’s phishing kit, they are red flags that point to the potential illegitimacy of the email, as it is improbable that an organization make such mistakes.

Figure 3: Phishing Page

Once the user has clicked the link in the email, they are presented with a page designed to trick users into believing it is an Adobe login page. Adobe Acrobat Reader is a popular choice of software to view, edit and create PDF files, and so threat actors have exploited this popularity in their customization of the page to manipulate the user. They have included the familiar Adobe Acrobat Reader logo at the top of the red login box, a color users associate with Adobe. The user is asked for credentials to view a document which, if provided, will be sent to threat actors.

Again, however, there are a couple of clues that this is not a legitimate page, warning the user to be wary of the email.

As seen in the Figure 4, the login page provided to the user does not look anywhere near as neat and professional as the legitimate Adobe login site does.

Figure 4: Legitimate Adobe Login Page

Most important, there is a disconnect between the threat actors’ phishing email and their payload site. The email warns of impending mailbox closure if the old password expires, while the malicious site asks for credentials to view a document.

We therefore see two common phishing tactics. First the password expiry impersonation and, second, the “Login to View File” ruse. The threat actor here seems to have, mistakenly or not, combined them, thus increasing the chances of the user recognizing the attack, and not providing the desired credentials.

Cofense Phishing Defense Center (PDC) was able to analyze this phishing threat because a well-conditioned user recognized this suspicious email and quickly reported it with Cofense Reporter. We can help your business, too. Contact us to find out how.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.