Share:

By Zachary Bailey, Cofense Phishing Defense Center

The rise in phishing attacks and increased delivery of sensitive information over email has fueled the demand for “secure mailers.” These services encrypt and store your organizations emails, only unlocking them if the designated recipient signs in. This takes the stress off the organization’s SEGs, or secure email gateways, when it comes to checking emails for sensitive or personally identifiable information (PII). However, secure mailers can be spoofed, and their credentials harvested – creating a new threat vector relative to sensitive emails. 

 Zix is a common secure mailer that is observed by the Cofense PDC. One threat actor mimicked Zix branding to create a lookalike phishing page using a custom domain that bypassed SEG protection. The attack relies on the target’s familiarity with Zix as they click through the encryption message and land on a Microsoft phishing page.  After submitting their credentials, the victim is redirected to a legitimate OneDrive error page.  

Figure 1: Email Body 

The email in Figure 1 looks typical of a secure mailer and uses a Zix message tag. The note saying “Michelle sent you a secure message” reinforces familiarity and lures the recipient into a false sense of security. The only lure here is asking the user to “Click here” to read on, while also advising how to complete the next step once they land on the website.  

Figure 2: Email Body Showing URL 

If the recipient hovers over the link, as shown in Figure 2, they will see that it goes to a “securemail” sub-domain, which is a common setup for these servicesIn the body of the message, they also see the expiration for retrieving the message

Figure 3: Phishing Page 

In Figure 2 we see the website mimics Zix landing site, which directs the recipient to interact with a click to read message” button (Figure 3)The site is also HTTPS encrypted, so any data sent through it cannot be read. If the user hovers over the button, they will notice that it leads to a different website. This is shown in Figure 4.   

Figure 4: Phishing Page 

During the transition from the secure mailer page, the title of the tab has changed from “SecureMail!” to “Sign in to your account,” accompanied by a Microsoft login page. This is an uncommon occurrence for secure mailers as they typically have their own login pages. 

Figure 5: Phishing Page 

After the user provides their credentials, a redirect occurs taking them to a OneDrive error page. Inspecting the network traffic shows that the entered credentials have been sent to the threat actor rather than Microsoft.This error page is a common tactic to convince the user that “something went wrong” and postpone or prevent recognition that their credentials were harvested.  

Indicators of Compromise 

hXXps://securemail[.]uadiaspora[.]com/  45[.]58[.]117[.]154 
hXXps://nojokemarketingpodcast[.]com/o1/main.html?  162[.]241[.]157[.]65 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.