By Max Gannon, Brad Haas

Exceptionally high demand in the housing market has created the opportunity for a timely new lure in a credential phishing campaign. Emails in this campaign reached users in a variety of sectors and arrived in environments protected by several different secure email gateways (SEGs). The emails purport to contain a link to home purchase closing documents from First American, a company whose services include real estate title and settlement. If users click the embedded links, they arrive at phishing pages attempting to steal Office 365 credentials.

As shown in Figure 1, the threat actors paid great attention to detail in the emails, with authentic-looking subject lines, formatting and signature blocks.

Figure 1: One of the emails spoofing First American in these campaigns.

The links in the messages led to one of several different credential phishing pages. One of these was a simple login screen (Figure 2) designed to mimic the real First American login page (Figure 3), but with a simple text line instructing users to enter their Office 365 credentials.

Figure 2: A phishing page closely resembling the real login page.

Figure 3: The real First American login page.

Another page simulates a document-sharing service displaying the first page of a commitment for title insurance (Figure 4) for several seconds. If the user attempts to go any further in the document, they are prompted to enter their email address (Figure 5); they are then taken to a fake Microsoft login screen and prompted to enter their password (Figure 6).