By Dylan Main, Cofense Phishing Defense Center

With the arrival of the COVID-19 vaccines, many companies are reopening and allowing their employees to return to their respective offices, with protocols and guidelines in place to keep everyone safe. As we have seen throughout the pandemic, threat actors will capitalize on any opportunity to infect, steal or remove secure information from their targets. As a case in point, the Cofense Phishing Defense Center (PDC) has observed a phishing campaign that attempts to gather login credentials from employees by acting as the Chief Information Officer (CIO).

Figure 1: Email Body

The body of the email appears to have been sent from a source within the company, giving the company’s logo in the header, as well as being signed spoofing the CIO. By pretending to be an executive, the threat actor has sent a false newsletter explaining the new precautions and changes to business operations the company is taking relative to the pandemic. It is likely in these times that many companies are making changes to their operations and providing their employees guidelines. However, in this case, the threat actor is trying to capitalize on sometimes confusing change to steal credentials and personal information.

Figure 2: Phishing Page Posing as a SharePoint Page

If an employee were to interact with the email, they would be redirected to what appears to be a Microsoft SharePoint page with two documents. These documents appear to be legitimate, outlining changes to business operations referenced in the original email. Instead of simply redirecting to a login page, this additional step adds more depth to the attack and gives the impression that they are actual documents from within the company. When interacting with these documents, it becomes apparent that they are not authentic and instead are phishing mechanisms to garner account credentials.

Figure 3-4: Phishing Page Posing as a SharePoint Page

Clicking on either of the documents produces a login panel that prompts the recipient to provide login credentials to access the files. This is uncommon among most Microsoft phishing pages where the tactic of spoofing the Microsoft login screen opens an authenticator panel. By giving the files the appearance of being real and not redirecting to another login page, the user may be more likely to supply their credentials in order to view the updates.

Another technique that the threat actor uses that we have seen in other campaigns is the use of fake validated credentials. For this example, the first few times login information is entered into the panel, the result will be the error message, “Your account or password is incorrect.”