Phishing for Credentials: New Tactics as COVID’s Grip Eases
By Dylan Main, Cofense Phishing Defense Center
With the arrival of the COVID-19 vaccines, many companies are reopening and allowing their employees to return to their respective offices, with protocols and guidelines in place to keep everyone safe. As we have seen throughout the pandemic, threat actors will capitalize on any opportunity to infect, steal or remove secure information from their targets. As a case in point, the Cofense Phishing Defense Center (PDC) has observed a phishing campaign that attempts to gather login credentials from employees by acting as the Chief Information Officer (CIO).
Figure 1: Email Body
The body of the email appears to have been sent from a source within the company, giving the company’s logo in the header, as well as being signed spoofing the CIO. By pretending to be an executive, the threat actor has sent a false newsletter explaining the new precautions and changes to business operations the company is taking relative to the pandemic. It is likely in these times that many companies are making changes to their operations and providing their employees guidelines. However, in this case, the threat actor is trying to capitalize on sometimes confusing change to steal credentials and personal information.
Figure 2: Phishing Page Posing as a SharePoint Page
If an employee were to interact with the email, they would be redirected to what appears to be a Microsoft SharePoint page with two documents. These documents appear to be legitimate, outlining changes to business operations referenced in the original email. Instead of simply redirecting to a login page, this additional step adds more depth to the attack and gives the impression that they are actual documents from within the company. When interacting with these documents, it becomes apparent that they are not authentic and instead are phishing mechanisms to garner account credentials.
Figure 3-4: Phishing Page Posing as a SharePoint Page
Clicking on either of t