Cofense Email Security

Phishing for Credentials: New Tactics as COVID’s Grip Eases

By Dylan Main, Cofense Phishing Defense Center

With the arrival of the COVID-19 vaccines, many companies are reopening and allowing their employees to return to their respective offices, with protocols and guidelines in place to keep everyone safe. As we have seen throughout the pandemic, threat actors will capitalize on any opportunity to infect, steal or remove secure information from their targets. As a case in point, the Cofense Phishing Defense Center (PDC) has observed a phishing campaign that attempts to gather login credentials from employees by acting as the Chief Information Officer (CIO).

Figure 1: Email Body

The body of the email appears to have been sent from a source within the company, giving the company’s logo in the header, as well as being signed spoofing the CIO. By pretending to be an executive, the threat actor has sent a false newsletter explaining the new precautions and changes to business operations the company is taking relative to the pandemic. It is likely in these times that many companies are making changes to their operations and providing their employees guidelines. However, in this case, the threat actor is trying to capitalize on sometimes confusing change to steal credentials and personal information.

Figure 2: Phishing Page Posing as a SharePoint Page

If an employee were to interact with the email, they would be redirected to what appears to be a Microsoft SharePoint page with two documents. These documents appear to be legitimate, outlining changes to business operations referenced in the original email. Instead of simply redirecting to a login page, this additional step adds more depth to the attack and gives the impression that they are actual documents from within the company. When interacting with these documents, it becomes apparent that they are not authentic and instead are phishing mechanisms to garner account credentials.

Figure 3-4: Phishing Page Posing as a SharePoint Page

Clicking on either of the documents produces a login panel that prompts the recipient to provide login credentials to access the files. This is uncommon among most Microsoft phishing pages where the tactic of spoofing the Microsoft login screen opens an authenticator panel. By giving the files the appearance of being real and not redirecting to another login page, the user may be more likely to supply their credentials in order to view the updates.

Another technique that the threat actor uses that we have seen in other campaigns is the use of fake validated credentials. For this example, the first few times login information is entered into the panel, the result will be the error message, “Your account or password is incorrect.”

Figure 5: Final Redirect Page

After entering login information a few times, the employee will be redirected to an actual Microsoft page. This gives the appearance that the login information was correct, and the employee now has access to the OneDrive documents. In reality, the threat actor now has full access to the account owner’s information.

As the world begins returning to normal, and as new standards are set in place, threat actors are certain to continue using every tool at their disposal to steal information from whomever they target. This campaign is another example of the types of attacks designed to compromise credentials and evade secure email gateways. Cofense’s Managed Phishing Detection and Response platform is equipped with the solutions needed to provide enterprises with a clear view of attacks like these, and ways to mitigate them. In five years, no customer using the Cofense PDC has experienced a breach resulting from a phishing attack.

Indicators of Compromise IP  
hXXps://codecist[.]com/wp-settings/step.php 173[.]249[.]55[.]26
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
Share This Article
Facebook
Twitter
LinkedIn

Search

We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.