By Kaleb Kirk, Cofense Phishing Defense Center

Phishing attacks, primarily those leveraging OneDrive and other legitimate hosting services, have become more common as more and more of our work is saved to and stored in trusted cloud services. Microsoft services are often used as attack vectors as users are accustomed to sharing files among coworkers. Other platforms are used in similar ways, of course, but Microsoft OneDrive merits special mention here for no other reason than the sheer number of businesses that rely on it. Such a popular platform will draw attention from threat actors and, as a result, lead to a bump in the frequently that Cofense receives phishing email reports from users like today’s subject.

Figure 1: Email Body

In Figure 1, observations can be made about what was done to make this email look appealing to the average employee. It bears a close resemblance to an official Microsoft email notification. Threat actors have even added elements to the email for authenticity such as the graphic above the link claiming that it is “safe and secure.” The rest of the email has similar looking icons and official fonts that have been carefully crafted and arranged to deceive the reader. This tactic reassures the user who typically does a quick scan of the message and clicks the link without looking too closely or analyzing the queues. Organizations have enabled URL defenses to protect users if they interact with the link; however, it often takes several interactions before the SEG determines a link to be malicious and proactively blocks it.

Figure 2: Phishing Page

As seen in Figure 2, the landing page shows a link leading to the shared documents mentioned in the email body. Although it’s been censored, it also displays the logo of the group that the threat actor is trying to impersonate. We also see a timer below the link; it’s likely present for to add an urgency that further induces the recipient to click. In most instances, these timers don’t have any function or purpose beyond the psychological one prompting the user to act.

Figure 3: Phishing Page

At a first glance of the final phishing page in Figure 3, it appears to be a standard Microsoft login page, with all the graphics and text boxes in the format one would expect, with almost no hint of anything amiss. The only visual clue to the user is the URL, which is an important indicator to include in your security awareness training. Threat actors can achieve this level of accuracy by using publicly accessible images and formatting from Microsoft itself in order to achieve this level of visual accuracy.

On the topic of the URL, however, it’s a simple domain that was likely one of a dozen or more the threat actor has spun up for the purpose of credential harvesting.

Threat actors rely on the end user not looking at the address bar and being deceived by the overall presentation. This tactic doesn’t require a lot of skill, and it’s easy to craft dozens of these domains and flood them into the wild. Doing so often nets positive results for the attacker.

This is a prime example of the high level of visual authenticity threat actors can attain if they use the right resources and techniques. It’s representative of the types of emails often seen by Cofense that well-conditioned users regularly report. Not all threats have technically sophisticated attributes; many are simple and easy to mass produce. This phish isn’t sophisticated, but it’s still worth noting the way the threat actors have presented it. Organizations that haven’t enabled multi-factor authentication may fall prey to this type of attack and face serious risk as a result of credential theft.

Most business leaders recognize that phishing represents a serious threat to organizational security and operational integrity. However, phishing attacks continue to succeed as tactics evolve. Cofense users demonstrate over and over the value of comprehensive phishing detection and response that advances security awareness through training and other solutions unsurpassed in the industry. To learn more about how Cofense can boost your cybersecurity position, contact us today.

Indicators of Compromise IP
hXXps://researchsurveyform[.]talentlms[.]com/shared/start/key:LZSIDNHR hXXp://34[.]236[.]22[.]110/
hXXps://www[.]teysaust[.]net/ hXXp://3[.]104[.]135[.]140/
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.