Cofense Logo - Email Security Solutions
  • Stop Threats

    End-to-End Email Security

    Defend your organization with a complete email security solution designed to identify, protect, detect & respond to threats.

    Security Awareness Training

    Condition your workforce against today’s latest threats and transform them into your front line of defense.

    Global Intelligence Network

    Protect your organization with our deep analysis into the current threat landscape and emerging trends.

    Cofense vs. The Competition

    See why the Cofense Intelligent Email Security suite stands out against the competition 

    Business Email Compromise (BEC)

    BEC amounts to an estimated $500 billion-plus annually that’s lost to fraud. Ensure your business is protected.

    Ransomware & Malware

    Phishing is the #1 attack vector for ransomware attacks. Stop phishing attacks in their tracks.

    Credential Theft

    Protect your user’s credentials and avoid a widespread, malicious attack.

  • Solutions

    Email Security for the Enterprise

    Complete threat protection, detection and response tailored for enterprise businesses.

    Email Security for the Mid Market

    Security awareness training + email security protection purpose-built for your mid-market organizations.

    Email Security for Managed Service Providers (MSPs)

    Best-in-Class Phishing Protection and Simulations designed for MSPs, from the ground up.

    Managed Email Security Solutions

    Protect your organization from attacks with managed services from the Cofense Phishing Defense Center™.

    Detect and Stop Attacks

    Automatically identify and quarantine email threats across your organization in minutes.

    Analyze & Remediate Reported Threats

    Accelerate threat detection and response, empowering fast resolution.

    Actionable Insight into Emerging Threats

    Protect your organization with our deep analysis into the current threat landscape and emerging trends.

    Security Awareness Training

    Condition your workforce against today’s latest threats and transform them into your front line of defense.

    Security Awareness Training + Threat Protection

    Growing companies can get protection, realistic simulations and security awareness training all in one platform.

    Easily Report Suspected Threats

    Report suspicious threats with just one click.

    Empower Your Team

    Train employees through an with award-winning Learning Management System.

  • Clients

    Industries We Serve

    Businesses from all industries rely on Cofense to safeguard their teams.

    What Our Customers Say

    Global organizations trust Cofense to protect their most critical assets.

  • Resources

    Knowledge Center Hub

    Check out our resource library of solution content, whitepapers, videos and more.

    Events & Webinars

    Come see us at a local event or join us at an upcoming webinar.

    Blog

    Stay current on cybersecurity trends, market insights and Cofense news.

    Check Your SEG

    See the real threats that are currently evading your Secure Email Gateway (SEG).

  • About

    About Cofense

    Cofense stops email security threats and protects your company through our network of 35+ Million human reporters.

    News Center

    See the latest articles, press releases and more in our news center.

    Awards

    It’s an honor to be recognized in the cybersecurity market. Check out our recent awards.

    Partners

    Grow your business, drive new revenue streams, and improve your competitive posture through our Partner Program.

    Careers

    We’re looking for passionate people to join us in our mission to stop all email security threats for organizations around the globe.

    Management Team

    Get to know our management team.

Get a Demo

You Must Quarantine! Fake Office 365 Email Leads to Curiosity

Share Now

Facebook
Twitter
LinkedIn

Microsoft 365 ATP 

Microsoft 365 EOP JTNDc3R5bGUlM0UlMEF0YWJsZSUyMCUyQSUyMCU3QiUwQSUyMCUyMCUyMCUyMGZvbnQtc2l6ZSUzQSUyMDE2cHglMjAlMjFpbXBvcnRhbnQlM0IlMEElMjAlMjAlMjAlMjBmb250LXdlaWdodCUzQSUyMDMwMCUyMCUyMWltcG9ydGFudCUzQiUwQSUyMCUyMCUyMCUyMGNvbG9yJTNBJTIwJTIzMzMzJTNCJTBBJTdEJTBBJTNDJTJGc3R5bGUlM0U=By Kian Mahdavi, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has discovered a recent phishing campaign that has targeted Office 365 users and includea convincing Microsoft quarantine notification reference. The campaign was found in an environment protected by Microsoft’s own secure email gateway (SEG).  

Threat actors continue to leverage standard Microsoft notifications to entice the recipient into interacting with the email. We noticed two variants of this campaign.

Illustration of a shield and laptop for phishing awareness training

The first example displayed above in Figure 1 showcases a fairly persuasive “Digest Summary Notification.” It displays the same HTML used within the legitimate notifications sent. However, if we look past the display name and dive a little deeper into the actual “from” address, we can see that it belongs to a compromised account belonging to an environmental firm: [email protected] [.]com. We can only assume the attacker was hoping the reader wouldn’t notice the domain has no relation to Microsoft.

The example in question also illustrates a move away from the traditional narrative used to lure recipients. This attacker has opted out of using urgency language with terms such as “urgent” or “you must.” As a result, the reader may overlook the threat and become curious enough to engage with the email, opting to review the “important message.”   

Should the user hover over the “Review” option, the URL path will clearly display the redirect that has no relation to Office or Microsoft. It will instead direct the user to “googleads,” taking them immediately to the phishing landing page. We can assume the reason for this is to evade detection and bypass existing security measures with whitelisted URLs.

Illustration of data analysis and a shield for phishing incident response

Figure 2  Encoded body of email 

The second campaign is a little more unusual at first glance as the entire email body has been encoded. The attacker may have done this to evade existing security controls, assuming that, once the email was opened, it would decode to reveal the email message in plain textThe email message did not decode, revealing a rather confusing layout and raising red flags immediately. This may have been caused by a bug in the threat actors toolkit. We later decoded the text to reveal several links of which most were benign, to which we narrowed down the malicious link through trial and error that led to the matching phishing landing page below:   

 hXXps://authsignin[.]website[.]yandexcloud[.]net/ 

Illustration of fraudulent email received by a person for email phishing

As seen above in Figure 3, the phishing landing page has been carefully designed to replicate the official Office 365 login page, luring users into thinking they are authenticating via a genuine service. Assuming users logged in with their true Microsoft credentials, their personal data could unfortunately be in the hands of the threat actor. 

 Attackers are always exploring new sophisticated tools and techniques, as demonstrated in the above examples, to bypass the SEG. Cofense PDC uses human detection and auto response to remediate and quarantine such threats, and continues to evolve to stay ahead of the latest phishing and malware threats. 

Indicators of Compromise 

 

Network IOC   IP 
hXXps://googleads[.]g[.]doubleclick[.]net/pcs/click?xai=AKAOjssIdZGtK2LGw4coQMwtQcONuf8cVZUVHUrlFgT33_wiLCuxpoweUvHdBH9neY4iW-CZh2SzgITptx6j64F0B2pEU0uoeRfmKTeyn7LSG5Irubqjv6IFl9MeqTp84ZT99WRJlZDMgrwUaUI7QjgNwL22AVveJm980wuVNryiILT2WhxCPmcY8M7PVIOygAXT_382p7PUn7bIByn2OjlTfCiaqta3tAhZWCuROeXZPznm5cGhgUYspVywPb8Y8GbuT5pyEUyF89icmqe5zg&sig=Cg0ArKJSzFtr0kI2Y6Ll&adurl=https:%2F%2Fauthsignin.website%E2%80%8B.yandexcloud.net%23  172[.]2177226 
hXXps://authsignin[.]website[.]yandexcloud[.]net/  213180193247 
hXXps://auth-1304164361[.]cos[.]ap-seoul[.]myqcloud[.]com/index.html  119[.]28148128 

11928148172 

11928148150 
hXXps://authsignin[.]website[.]yandexcloud[.]net/  213180193247 
All third-party trademarks referenced byCofensewhether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship betweenCofenseand the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or differentconfigurations may be effective at stopping these or similar threats.
  
TheCofense® and PhishMe® names and logos, as well as any otherCofenseproduct or service names or logos displayed on this blog are registered trademarks or trademarks ofCofenseInc.    

Read More Related Phishing Blog Posts

1602 Village Market Blvd, SE #400
Leesburg, VA 20175

(888) 304-9422

Facebook-f Twitter Linkedin Youtube

Company

Resources

Get a Demo

Search

We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

Accept
This site is registered on wpml.org as a development site.