Proofpoint
Microsoft 365 ATP
By: Kian Mahdavi, Cofense Phishing Defense Center
The Cofense Phishing Defense Center (PDC) has witnessed a surge in Coronavirus phishing campaigns found in environments protected by Proofpoint and Microsoft Office 365 ATP. While these Secure Email Gateways (SEGs) are designed to safeguard end users from clicking on malicious links and attachments, both failed in a new phishing attack we recently observed.
Figure 1 – Proofpoint SEG within the Email Header
Figure 2 – Extracted Information in Email Header
The extracted header information above in Figure 2 displays fragments of the email from the received path. The threat actor spoofed the domain splashmath[.]com (an online learning game for children) with a spoofed IP address of 167[.]89[.]87[.]104, which is located in the United States. For this reason, the email slipped past basic security checks, such as DKIM and SPF, shown in Figure 2. The threat actor inserted key words, such as “who” and “community” in the sender email address to manipulate the user into thinking it’s from the World Health Organization.
Upon further investigation of the email header, the originating IP address of 88[.]119[.]86[.]63 was found to be from the Lithuanian city of Kaunas, as shown below in Figure 3. The phishing email was sent to different individuals, each with the same originating IP address, indicating the likelihood of a single threat actor carrying out these attacks.
Figure 3 – Originating IP Address
The body of the email in Figure 4, as shown below, urges the user to find out if there are cases of COVID-19 in their local area by clicking on ‘Read on’. When then end-user clicks, they are led to believe that they will be directed to an updated WHO document. However, the user is actually directed to a Microsoft branded credential phish to steal their Microsoft log-in information.
The subject of the email is “HIGH-RISK: New confirmed cases in your city,” followed by the spoofed WHO email address and display name (who[.]int-community[.]spread@ splashmath[.]com), thus making it appear as if the sender is really from the World Health Organization. The sender does not contain any information addressed to the recipient, such as “Good Morning” or “Dear…”, indicating that this is a mass-email attack sent to many individuals. In addition, there is an image that would have usually loaded, however in these stressful circumstances, individuals may overlook this and would click on the “Read on” link.
Figure 4 – Email Body
Network Indicators of Compromise (IOCs):
Users are under the impression that by clicking on the ‘read on’ link, they will be redirected to:
| Hosted URL | IP Address |
| hXXp://o[.]splashmath[.]com/ls/click?upn=H2FOwAYY7ZayaWl4grkl1LazPuy6jduhWjWPwf0O2D | 167[.]89[.]118[.]52 167[.]89[.]123[.]54 |
The users are instead forwarded to one of the following malicious redirects:
| Credential Phishing Pages URLs | IP Address |
| hXXps://heinrichgrp[.]com/who/files/af1fd55c21fdb935bd71ead7acc353d7[.]php | 31[.]193[.]4[.]14 |
| hXXps://coronasdeflores[.]cl/who | 186[.]64[.]116[.]135 |
| hXXps://www[.]frufc[.]net/who/files/61fe6624ec1fcc7cac629546fc9f25c3[.]php | 87[.]117[.]220[.]232 |
| hXXps://pharmadrugdirect[.]com/who | 31[.]193[.]4[.]14 |
| hXXps://ee-cop[.]co[.]uk/who/files/3b9f575dac9cc432873f6165c9bed507[.]php | 82[.]166[.]34[.]188 |
A quick Google search reveals the last phishing page listed above (hXXps://ee-cop[.]co[.]uk/who/files/3b9f575dac9cc432873f6165c9bed507[.]php) was created with “WordPress” within the description (Figure 5), a potential red flag for a savvy end user.
Figure 5 – Google Search of the Phishing Page
As shown in Figure 6 below, recipients are presented with a high-quality, spoofed Microsoft login page. Upon clicking, the user’s email address is attached within the URL of the webpage; therefore, the individual’s username automatically appears in the login box. Upon logging in, the user is under the impression he or she has been authenticated into a legitimate Microsoft website. At this point, the user’s credentials are unfortunately in the hands of the threat actor.
Figure 6 – Final Phishing Page
HOW COFENSE CAN HELP
Cofense has created the Coronavirus Phishing Infocenter with examples of real Coronavirus phishing scams, an infographic illustrating 5 signs of these phish, a publicly available YARA rule, and much more.
75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe. Tp remove the blind spot, get visibility of attacks with Cofense Reporter.
Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.
Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received Yara rule PM_Intel_CredPhish_37315 and further information about this threat in Active Threat Report (ATR) 37315.
Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.
