Microsoft EOP Mimecast By Jake Longden, Cofense Phishing Defense Center
Password expiration (or “expiry”) emails are used by almost every organization on a regular basis as a resource to remind users that a change of password is necessary. Unfortunately, they are ideally suited for phishing attacks and represent a common tactic employed by threat actors seeking to obtain credentials.
The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that harvests Adobe credentials by impersonating a password expiry email.
Figure 1: Sender Nickname
To add authenticity to the email, the threat actors have set the sender nickname to “Mail Administrator” and the subject line to “Password Expires Now” in an attempt to imitate the format of legitimate emails. At first glance, the recipient might think this reset is related to one of the Apple accounts. Password expiry emails will typically be sent out by organization IT teams via an email and can result in email/account access issues until the credentials are reset.
Figure 2: Email Body
The user then views an email deliberately designed by the threat actor to instill a sense of urgency and importance, namely that the user’s password has expired. Users are warned that, unless they wish to “Keep the same password,” the mailbox will be “closed automatically,” thus leaving the user without access to their mailbox. Furthermore, the threat actor has added the recipient’s email address to the body for a personal touch.
By impersonating such a serious email, the threat actor has exploited methods used in multiple phishing campaigns. They are designed to gain the user’s trust (by spoofing a trusted and expected sender nickname), and to preclude critical analysis of the email’s legitimacy via its gravity (account closure).
There are a couple of indicators within the message body itself however that suggest this is a spoofed email. There is an equals (=) character in the middle of the word “expires” in the first sentence, and another between the words “to” and “continue” in the second sentence. Additionally, next to the year 2021 at the end of the email, we find the characters “=A9.” While these could just be formatting issues from the threat actor’s phishing kit, they are red flags that point to the potential illegitimacy of the email, as it is improbable that an organization make such mistakes.
Figure 3: Phishing Page
Once the user has clicked the link in the email, they are presented with a page designed to trick users into believing it is an Adobe login page. Adobe Acrobat Reader is a popular choice of software to view, edit and create PDF files, and so threat actors have exploited this popularity in their customization of the page to manipulate the user. They have included the familiar Adobe Acrobat Reader logo at the top of the red login box, a color users associate with Adobe. The user is asked for credentials to view a document which, if provided, will be sent to threat actors.
Again, however, there are a couple of clues that this is not a legitimate page, warning the user to be wary of the email.
As seen in the Figure 4, the login page provided to the user does not look anywhere near as neat and professional as the legitimate Adobe login site does.