By Adam Martin, Cofense Phishing Defense Center

As threat actors phish for credentials, they continue to send emails in alignment with organizational business processes, such as demands for signatures or approvals for “sensitive” documents. A trend recently found by the Cofense Phishing Defense Center (PDC) team is a pre-set deadline for access to the given sensitive information. This represents a two-pronged approach to phishing. Element one is trust. Suspicions would be lowered because one would assume a threat actor would want the material accessible for as long as possibleElement two is urgency, given the deadline for viewing. Both aspects are illustrated in Figure 1.  

Figure 1 

Once the provided URL is accessed, the following page is displayed. The first stage to this credential phish is a sham SharePoint page. As can be seen from the address barthe webpage is hosted by another vendor 

Figure 2 

Further down on the same landing page, an image of an envelope labeled “proposal” is seen. Another confidence-inspiring message is also found; it bears some semblance of legal legitimacy.

Figure 3 

Upon accessing the link to the seemingly legallyprotected document, a common tactic is employed whereby the threat actor allows the recipient to choose their email providerThis is complemented by blurred content possibly to up the temptation to access the obscured information. The base URL changes to one that has little to do with the sending company or any legitimate email provider.  

Figure 4 

Once the login credentials are entered, they are exfiltrated to an external server.  

Figure 5 

Indicators of Compromise 

hXXps://spark[.]adobe[.]com/page/6n0AwhsWKa3fw/  13[.]32 [.] 204 [.] 55 

13 [.] 32 [.] 204 [.] 80 

13 [.] 32 [.] 204 [.] 53 

13 [.] 32 [.] 204 [.] 46 

hXXps://stickymoosestickers[.]com/austt/index.php  199 [.] 250 [.] 201 [.] 182 
All third-party trademarks referenced byCofensewhether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship betweenCofenseand the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or differentconfigurations may be effective at stopping these or similar threats. 
TheCofense® and PhishMe® names and logos, as well as any otherCofenseproduct or service names or logos displayed on this blog are registered trademarks or trademarks ofCofenseInc.