By Ashley Tran, Cofense Phishing Defense Center

It’s no secret that the COVID-19 vaccine is being rolled out and met with extreme enthusiasm. Some companies are reaching out to their employees personally to gauge interest in receiving the vaccine or, in some cases, signing them up to get vaccinated. As we have noted in previous Cofense blogs, threat actors have taken note and are crafting attacks impersonating these legitimate communications. A user within the Cofense Phishing Defense Center (PDC) network suspected, and reported, a phishing campaign that is weaponizing the vaccination subject line in an attempt to steal Microsoft credentials.

Figure 1

The campaign’s phishing email originates from a compromised account. The user’s name and email are apparent; they’re not at all hidden or obscured. The use of compromised accounts to send malicious emails is a means of bypassing any SPF and/or DKIM checks that would only address spoofing.

The body of the email is formatted as a typical company communication that may seem familiar. Addressed to “All Employees” on the topic of a “COVID 19 Vaccine Interest Survey,” it’s an email that users would likely be expecting given recent news of vaccine roll-outs. The wording and context given for the email seem reasonable, too. The user’s company is supposedly trying to “obtain vaccination opportunities for staff,” and the enclosed survey is meant to gauge interest in receiving the vaccine. Following the “survey” link are additional details, presumably to add filler to appear more legitimate. There is also a deadline for completion, most likely to add urgency to the directive. Finally, the email is signed by the “Director of Human Resources.” However, there’s a glaring discrepancy in the signature name versus the actual sender’s name. This is a red flag users should look for and report.

Checking the survey link provided in the email, it can be noted that it’s wrapped by Cisco, the receiving organization’s security layer. Here, the text “surveymonky” has been wrapped. However, the actual link is embedded behind it, redirects to:

hxxps://www[.]alraas[.]com/fpdf123/makefont/bid/login[.]php

 Figure 2

When the link is clicked, users are redirected to the phishing page seen in Figure 2. The page presented is a generic Outlook login page. The URL in the address bar truly gives away that this is a phish. Once the user has put in credentials, they are redirected back to the Office.com homepage. This redirect may lead users to believe nothing untoward has taken place, and that the URL in the email may have been misconfigured. Then, they will probably await further clarification that they will never receive.

This campaign shows that threat actors are constantly employing tactics to make their attacks less obvious. With Cofense Managed Phishing and Defense, provided through our Phishing Defense Center (PDC), enterprises benefit from our complete view of real phish. Threats like the one outlined here will be stopped dead in their tracks because a conditioned user quickly identified this as suspicious and reported the email. This is why, in five years, no customer using the Cofense PDC has experienced a breach resulting from a phishing attack.

We’re here to help. To learn more about our phishing-detection-and-response track record, reach out any time.

Indicators of Compromise IP
hxxps://www[.]alraas[.]com/fpdf123/makefont/bid/login[.]php 184[.]107[.]112[.]63
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.