“Phish Found in Environments Protected by SEGs” Mimecast
By Jer O’Donovan and Anthony Wright, Cofense Phishing Defense Center
Employees tend to be bombarded with business communication emails: Microsoft teams messages, internal policy updates, deadline reminders, and more. Leveraging loud inboxes, threat actors broadcast malicious emails in a bid to harvest employees’ credentials by blending in with the noise.
The Cofense Phishing Defense Center (PDC) has observed a phishing campaign whereby threat actors impersonate popular brands such as Microsoft and claim “the password for ‘…’ will expire today” as noted below in Figure 1. The image below showcases this phishing attack that even targeted our CEO, Rohyt Belani.
Naturally, Rohyt reported this campaign to the PDC via the Cofense Reporter button, allowing the PDC to investigate, remediate and respond back in around 60 seconds.
Figure 1: Initial Email
This attack preys on companies’ password policies. This could include changing passwords every 30 days or having a minimum character requirement. Employees may get legitimate monthly reminders asking them to update their password as it’s expiring soon. As a result, an employee may see this phishing attack and think nothing of it, then begin to engage with the fake request thinking they’re updating their password as they’ve done so legitimately in the past.
The text within the subject line in Figure 1, “Authentication Support,” implies that it’s originated from the authentic IT department, again, trying to appear legitimate.
There are no introductory phrases such as “Dear,” “Good Morning,” “Hello,” etc. This indicates a mass email campaign in which the attacker has a purpose-built template, altering a few variables such as “ID” and “email address.” Figure 1 showcases the Microsoft brand in a bid to deceive the recipient.
The static IP addresses allow for a high degree of signature-based detection efficacy, which is a bonus for the defending side. These static IP sending addresses can be blocked by the end-point detection team.
However, the sender address in this case is generated dynamically on the fly as the phish is sent. This has a detrimental effect on the ability to block based on sender, alone. In this instance, focusing on the static elements of this particular phishing attempt is the best course of action for preventing an attack of this kind from reaching the end user.
Threat actors sometimes use legitimate but compromised top level domain (TLD) names to send out such phishing emails. Searching the TLD via open-source intelligence (OSINT) led us to a legitimate software company based in the United States that was registered online in 1998. But the display name has been spoofed, “Authentication Support,” socially engineering the recipient to think it’s from a trusted source.
Figure 2: Phishing landing page
Had Rohyt clicked on the “keep same Password” hyperlink in Figure 1, he would have been redirected to a fake Microsoft login page. The image above in Figure 2 is what he’d see. It looks perfectly legitimate with all functionalities a legitimate Microsoft login page would have. If Rohyt had provided his credential, the web page would have redirected seamlessly to the legitimate Microsoft login page, thereby deflecting suspicion.
Figure 3: Legitimate Microsoft loading page
We’ve noticed similar phishing attempts. Threat actors will redirect the victim to the blue envelope image in Figure 3 immediately after their credentials have been provided. This is done so the recipient is led to believe their mailbox is loading.