The Tactics of a Prolific Phishing Campaign Abusing Dropbox

Cofense Intelligence™ Strategic Analysis

During August and September of 2022, Cofense has observed an effective credential phishing campaign abusing Dropbox and reaching end users across many industries. The threat actor(s) behind the campaign have put in a considerable amount of effort in order to increase the chances of successfully stealing the email login credentials of enterprise users. By utilizing various tactics, techniques, and procedures (TTPs), the phishing emails have been very successful at reaching inboxes. These phishing emails reached inboxes in August at a volume far out scaling any other campaign that Cofense has seen effectively abuse Dropbox this year. However, monthly volume from this phishing campaign has been inconsistent, dropping drastically from August to September.

Figure 1: Overall Volume of Phishing Emails Abusing Dropbox and Successfully Reaching Inboxes.
 

Compared to other campaigns abusing Dropbox, the volume of phishing emails within this campaign that are reaching end users attained a peak that we haven’t seen since early 2021. Figure 1 shows a comparison of phishing emails that are reaching users’ inboxes and abusing Dropbox from June 2020 to September 2022. February 2021 marks the highest peak in volume. This particular campaign emerged in early August 2022, resulting in a spike in volume that nearly surpassed the previous high. While it now appears to be tapering off, it is worthwhile to look back and consider the components of a campaign that reached inboxes so effectively.

Evasive TTPs

This campaign utilizes multiple TTPs known to increase the likelihood that the phishing emails reach the intended targets

  • Trusted Domains – By abusing a well-known file hosting service like Dropbox, threat actors are able to host malicious content on a “trusted” domain. A domain is considered trusted when its primary use is legitimate. The use of these URLs can disrupt security measures that rely on automation, since the domain cannot be blocked outright, and every URL must be analyzed individually. The use of Dropbox URLs can also create a sense of legitimacy for end users, making the phishing attempt all the more convincing.
  • URL Redirection – The use of multi-layered links and redirection, multi-layered compression, and multi-layered encoding has become a common anti-analysis tactic. SEGs have the ability to follow redirections and do analysis on multi-step phishing campaigns, but there are usually limits set on the number of redirections a SEG will follow. This campaign combines the abuse of a trusted platform with multiple redirections. The embedded Dropbox link is not outright malicious, but it does start a redirection chain ending with a phishing page that harvests email login credentials.
  • Blob URLs – Threat actors for this campaign have included an additional step within the URL redirection to create a Blob (Binary Large Object) for the phishing URL. A Blob URL allows Blob and file objects to be used as a URL source for data, images, etc. This step is not used for every email within the campaign, but when it is, it may be utilized as an anti-analyses and evasion technique. The first redirect starts the process of creating the Blob and uses JavaScript code to build it. This process is not likely to be noticed without tracking network traffic, meaning an everyday user is unlikely to notice. The key indicator that this process has occurred is that the phishing URL will have “blob:” in the address bar of the browser.

The combination of these tactics can disrupt security analysis, and often results in the phishing email reaching the end user. Compromising employee credentials can lead to more high-level threats, potentially resulting in broader organizational compromise and financial loss.

Breakdown of the Phishing Campaign

This phishing campaign is well crafted and widespread, reaching enterprise users in many industries. The threat actors behind the phish have put in significant effort compared to ordinary phishing campaigns. The phishing emails tend to vary, as there seems to be multiple email templates used for this campaign. From an end user point of view, some of the more convincing email themes being used are e-sign documents, fax notifications, project acknowledgements, and themes spoofing legitimate Dropbox emails.

Figure 2 and Figure 3 below are both phishing emails from this campaign that were found in environments protected by SEGs. The first email (Figure 2) is convincing, appearing similar to a legitimate Dropbox shared file email. Employees that use Dropbox regularly may recognize this template and even feel safe interacting with it. Figure 3 is an example of an email spoofing Adobe Acrobat e-sign, suggesting that the recipient has financial documents that need to be signed. These are two of several email templates that have been seen within this campaign. At first glance, they appear to vary greatly. However, both contain Dropbox links that lead to a similarly hosted file which, when interacted with, will redirect to a credential phishing page.

Figure 2: Dropbox-spoofing phishing email with embedded Dropbox link.
 

Figure 3: Fax-themed phishing email with embedded Dropbox link.
The threat actor’s use of such a wide variety of email templates can make it difficult to educate just on email appearance. While this is true, and education should be focused on the phishing tactics being used, it is important to understand the lure within the phishing emails.

Table 1 shows some of the commonly seen subjects in this phishing campaign. The subjects almost always reference a shared file, which complements the threats actors use of Dropbox links. They also include some reference to the recipient’s name, employer, or other identifiable information to add a more legitimate appearance to the emails.

Table 1: List of commonly seen email subjects in Dropbox phishing campaign.

Commonly Seen Email Subjects in Dropbox Phishing Campaign
Shared Files with ‹recipient name or identifiable information›
DISITRUBUTED PROJECT FILES FROM ‹recipient name or identifiable information›
Distributions Acknowledgement from ‹recipient name or identifiable information›
Acknowledgement Project From ‹recipient name or identifiable information›
Acknowledgement For Project #55627 From ‹recipient name or identifiable information›
Acknowledgement Project For ‹recipient name or identifiable information›
Project Files From ‹recipient name or identifiable information›
Statement From ‹recipient name or identifiable information›
‹recipient name or identifiable information› shared “‹filename›.paper” with you

Figure 4: Common words in email subjects of Dropbox phishing campaign.
The embedded Dropbox links in these emails follow 1 of 2 Dropbox URL directory paths, /scl/fi/ and /l/scl/. These links can be created by manually uploading files to Dropbox and sharing the links, or by using the Dropbox API. The directory paths alone can’t be used as indicators of compromise (IOC) because they are also found in legitimate Dropbox URLs. However, as commonalities in this campaign, they may be useful in separating it from other campaigns that abuse Dropbox. For instance, a standard PDF uploaded to Dropbox and shared will have a directory path of /s/, which is not used in this campaign. Below are two examples of full IOCs from this campaign:

hxxps://www[.]dropbox[.]com/scl/fi/tz8lf0mlh36qk3imtvree/Your-mail-Password-is-set-to-expire-today[.]paper?dl=0&rlkey=6x59wvwcr6yggtbnz6eh2wmpe

hxxps://www[.]dropbox[.]com/l/scl/AADV6XwJtJ583LJwbC9ucdLRsjs52-St6LI

These links are often hidden in the email behind anchor text that follows the email theme, like “view file” or “see agreement”. Once a user interacts with the link, they will be brought to a file hosted on Dropbox like the one shown in Figure 5. This page in turn contains a clickable link that will start the redirection process, taking the user to a well-crafted credential phishing page like the one in Figure 6. These phishing sites are most often hosted on compromised domains and exfiltrate credentials to a PHP panel hosted on another compromised domain.

Figure 5: Dropbox site that redirects to phishing page.
 

Figure 6: Phishing page used to harvest email login credentials.

Scammers Utilize Wufoo for Vacation Request Phish

Scammers Utilize Wufoo for Vacation Request Phish

As holiday season ramps up, an increase in phishing scams related to PTO expected to increase.

Missed By: Microsoft

Industry: Mining and Heavy Industries

By Kian Buckley-Maher, Cofense Phishing Defense Center

A phish recently noted by the Phishing Defence Center (PDC) utilizes the online form builder Wufoo, a tool commonly associated with easily created surveys and online registration forms. Threat actors have used Wufoo to create simplistic but effective credential stealing vectors.

Phishing Email

The email, in Figure 1, itself uses basic language informing the user that they need to save a copy and submit any further time-requests, which enables the threat actor to gain credentials after any future mandatory password resets, a common feature seen in many organisations.

To instill a sense of urgency it states all request for the subsequent two months need to be submitted through this method, so any users planning anything in the next few months will be compelled to download and input all the required information. As we head into the holiday season, these becomes even more timely. In addition, the user is requested to keep a copy of the form for any future time-off requests, as the requests are to be submitted during a two-month period. This also aligns with the typical 90-day password reset policies enabled in many organizations and as such the threat actors will ensure access to accounts even if the password reset has occurred.

Scammers Utilize Wufoo for Vacation Request PhishFigure 1: Email Image
 

Looking at the header, we see the sender is utilising a generic alias to impersonate ‘Human Resources’, a typical naming convention used by organizations for company-wide communications such as this one.

Phishing Page

As seen in Figure 2, the form itself contains very little identifiable markings such as branding or company logos, in most cases threat actors use in order to increase the potential of interaction from the recipient. The simplicity of this time request forms allows this phish to be used to reach further than most with little modification needed between phishing campaigns as it would be required for a more stylised and complex corporate communication.

After entering the required fields, the user is required also enter their email address in order to submit the form. Most organizations today utilize their self-service Payroll or HR portal to collection this information. This was most likely an indicator to the recipient that the email was suspicious and reported it via the Reporter button in Outlook

Screenshot of vacation request phishFigure 2: Main Phishing Page
Once the user has provided all the required information, they will be presented with a page to input their account password to send the request, and the users account credentials will be compromised.

Conclusion

The PDC continues to observe these kinds of phishing emails over the summer months, and as we look toward the end of year and the upcoming holiday season, we expect these campaigns to increase once again.

Due to the nature of these campaigns and its relative simplicity, it can be expected that these will be successful in organisations without proper phishing training and adequate phishing defences.

 

Indicators of Compromise IP
hXXps://xhrreview[.]wufoo[.]com/forms/m1cgigu51jrr9hf/

Threat actors abuse LinkedIn slink (Smart Link) to bypass Secure Email Gateways (SEGs)

Industry: Insurance and Finance

By Tej Tulachan, Cofense Phishing Defense Center

A noteworthy phishing campaign that abuses LinkedIn smart links redirects was recently observed by the Cofense Phishing Defense Center. This new, targeted campaign illustrates that while exploiting a well-known postal brand is nothing out if the ordinary, such phishing emails continue to go undetected by popular email gateways designed to protect end users.

Threat actors attempt to entice users into believing that the Slovakian Postal Service is requesting pending shipping costs. This is a very adaptable strategy due to LinkedIn’s slinks features and the variety of postal brands available. Threat actors abuse legitimate LinkedIn features with added unique alphanumeric variables at the end of the URL to redirect users to malicious websites. This is a clever tactic to bypass secure email gateways by abusing a commonly trusted source and falling for this attack can be avoided with users checking the embedded hyperlinks with extra precaution.

Email Body

Figure.1: Phishing Email

Translation:

The shipment is waiting for delivery

Slovak Post took the initiative and sent you this e-mail to inform you that your shipment is still waiting for your instructions.

Ref. C.: SK66902371WS

Shipping costs: €02.99

Confirm payment of shipping costs by clicking on the following link:

Confirm here

As seen in Figure 1, the email was sent in Slovakian. Although we can see that the recipient has a shipment waiting to be delivered, the order can only be fulfilled with payment. Threat actor even added features to the email, including the fictitious reference number, to give the impression of legitimacy.

When the header information is examined more closely, it becomes clear that the threat comes from sis[.][email protected] The threat actor is spoofing Slovenská Posta to appear authentic to the recipient.

As we examine more closely, we can notice that the message content contains the embedded smart link URL<hxxps://www[.]linkedin[.]com/slink?code=g4zmg2B6/> under “Confirm here”.

The LinkedIn “smart Link” feature allows users to redirect to legitimate websites to promote their website or advertisements. Threat actors, however, have different ideas and redirect users to malicious sites in an attempt to steal personal information. The threat actor’s choice of LinkedIn smart links is an effective way to get past the secure email gateway; many security protection tools are unlikely to block the URL. At the time of writing, the malicious URL in question is still live.

Phishing Page

Users are taken to the initial phase of this attack when they click the “Potvrd’te tu” button, as seen in Figure 1. The users are enticed to enter their bank card information to finalize the shipment order when they get to the payment page as seen in Figure 2.

Figure.2: Phishing page
 

In the final stage of the attack, the card details are entered and posted to the following address: hXXps://sk-1-b9833c[.]ingress-florina[.]ewp[.]live/login/cc/6c0924840f28f96026147e2cde8420af/card[.]php the user is redirected with a message informing them that their payment has been received and asking for a fake SMS code sent to their telephone number as illustrated in figure 3 (translated). Whatever digits are introduced in this page, the user will be redirected to a final fake confirmation page (figure 4), thereby deflecting suspicion.

Figure.3: Submit Telephone number
Figure.4: Fake confirmation
 

The phishing landing page was intended to resemble the authentic Slovakian post, however, upon further examine, we found that the given URL does not correspond to the legitimate Slovakian Post URL https://tandt.posta.sk/en, as shown in Figure 5.

Figure.5: Legit Slovak Post
 

Due to a threat actor exploiting the official LinkedIn smart link service, the phishing page is still up and running. This campaign serves as an example of how secure email gateways can potentially be out maneuvered in the absence of an extra layer of defence provided by human sensors who can identify and report any odd emails and links that land in their inboxes.

 

Indicators of Compromise IP
hXXps://www[.]linkedin[.]com/slink?code=g4zmg2B6
hXXps://sk-1-b9833c[.]ingress-florina[.]ewp[.]live/login/cc/6c0924840f28f96026147e2cde8420af/index[.]php?id=BO0uBtRF3f7 63[.]250[.]43[.]136
hXXps://sk-1-b9833c[.]ingress-florina[.]ewp[.]live/login/cc/6c0924840f28f96026147e2cde8420af/card[.]php 63[.]250[.]43[.]137

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Credential Phishing Targeting Government Contractors Evolves Over Time

By: Cofense Intelligence

Threat actors are running a series of campaigns spoofing several departments of the United States government. The emails claim to request bids for government projects but lead victims to credential phishing pages instead. These campaigns have been ongoing since at least mid-2019 and were first covered in our Flash Alert in July 2019. These advanced campaigns are well crafted, have been seen in environments protected by secure email gateways (SEGs), are very convincing, and appear to be targeted. They have evolved over time by improving the email contents, the PDF contents, and the appearance and behavior of the credential phishing pages.

Email Contents: More Convincing, More Evasive

Figure 1: Initial Email of Most Recent Campaign
The campaigns targeted companies across a variety of sectors but focused most heavily on the energy and professional services sectors, including construction companies. The attackers likely targeted companies which could credibly receive invitations to bid from the relevant government department. The emails spoofed the U.S. Departments of Labor, Commerce, or Transportation. This was evident in the sender’s name and email address (as seen in Figure 1) as well as in the email signature. Sender email addresses for these campaigns originally appeared to be hosted on [.]us domains such as openbids[@]dol-gov[.]us, but towards the end of 2021, the addresses were more consistently spoofed as coming from a [.]gov email address like no-reply[@]dot[.]gov. These emails were typically sent from IP addresses hosted by the Hivelocity Inc ASN. In some cases, the service located at the sending IP address identified itself as a Microsoft IIS Windows server. Early emails had more simplistic email bodies without logos and with relatively straightforward language. The more recent emails made use of logos, signature blocks, consistent formatting, and more detailed instructions. Recent emails also include links to access the PDFs rather than directly attaching them.\

 

PDF Contents: Lures Appear More Authentic

Figure 2: First Page of an Attached PDF

PDFs attached to these emails have changed over time. Within recent emails, the first page (seen in Figure 2) is typically the logo of the spoofed government department with additional information about the bid. The second page (shown in Figure 3) typically contains information about the process and will lure victims into clicking the link. In older versions, the PDFs were usually 1 or 3 pages. They contained more technical information about the bidding process, a signature of the spoofed sender, and a watermark of the spoofed department.

 

Figure 3: Second Page of an Attached PDF with Embedded Link to Credential Phishing Page
 

Figure 4: Targeted Sector by Spoofed Department
The metadata of the PDFs provides additional interesting information, as well as evidence of advancements in the threat actor’s TTPs. Older PDFs had little customization, and all listed the same “edward ambakederemo” as the author of the document. In the most recent PDFs, both the attached and downloaded versions, there is spoofed information more relevant to the recipient. The author is listed as “WisDOT”, the company is listed as “Wisconsin Department of Transportation”, and the subject, title, and description are all listed as “WisDOT Procurement – Invitation for Bid Toolkit”. The new information is an almost exact match with the metadata associated with an authentic invitation-for-bid toolkit PDF published by Wisconsin DOT. The change from using PDFs with consistent meta data for multiple campaigns to using customized meta data that appears authentic and is relevant to the specific campaign shows clear advancement in the TTPs of the threat actor.

 

Credential Phishing Page: Improved “Login” Process

In each case, the initial page of the phish is a copy of the home page of the spoofed department with the addition of a single red button encouraging victims to click it in order to bid. In cases spoofing the Department of Labor, the spoofed page (Figure 6) is a near duplicate of the legitimate DoL page (Figure 5) from about a year ago, but shows the added button. When victims click the link, they are taken to a different page on the same malicious domain (Figure 7), or in the case of some of the older pages, a popup window showing a page still on the same domain. The use of HTTPS ensures that a green padlock will appear, further giving the page a sense of
legitimacy. The domains used for the phishing pages and for the links embedded in the PDF are specifically chosen to emulate government-bid-related themes. Therefore, they often include the department spoofed (such as dol) and “bid”. In addition to the URL seen in Figure 5, there were also URLs including .gov in the subdomain such as transportation[.]gov[.]bidprocure[.]secure[.]akjackpot[.]com, which has a purposefully long subdomain that could make only the part of the URL with .gov in it appear in the URL bar in smaller browser windows.

Figure 5: Legitimate Department of Labor Website from July 2021

Figure 6: Spoofed Department of Labor Home Page with Additional Button
 

Figure 7: Credential Request Form
The page helpfully informs victims that the page will accept Microsoft Office (i.e., corporate) credentials. This would appear in a popup window in some of the older pages. This initial page is consistently hosted on “/bidwindow.htm”. Subsequent pages (consisting of the URL paths “/openbid.php” and “/completegen.html”) ask victims to reenter credentials.

Figure 8: Captcha Challenge After Credentials Are Entered
Victims are then prompted with a captcha to verify that they are indeed human. This captcha is always hosted at “/bidwindowverify.htm”. After the captcha is complete and the credentials are exfiltrated, victims are redirected to the legitimate page of the relevant government department. After being redirected to the relevant government department’s website, victims are left to wonder if their credentials were accepted for the bid or if something else entirely happened. Specific instructions in the PDF inform victims that submitting twice is likely going to cause the whole process to fail, discouraging victims from trying again. The original credential phishing pages lacked multi step processes, captcha checks, and had limited interactions. Instead, the credential harvesting form was hosted on the initial landing page. The improvements over time have made the pages more likely to trick victims into entering credentials and less likely to realize after the fact that they have fallen for a phish.

 

Results of The Campaign

These campaigns are convincing from start to finish and make use of preexisting data copied from legitimate sources in order to mislead victims. The consistent impersonation of a United States federal department is carried out each time with updated information including watermarks on PDFs and information on the credential phishing pages. The only place where the threat actors fall slightly behind is their spoofed pages can be out of date, which will likely go unnoticed by most victims. Given the advancements seen in each area of the phishing chain, it is likely the threat actors behind these campaigns will continue to innovate and improve upon their already believable campaigns. The first step towards defending against these kinds of attacks is ensuring that employees do not click malicious links. The next step is ensuring that employees realize this applies to attachments just as much as it does to links directly embedded in emails. Training employees to be suspicious of emails and carefully examine both links and sender information can also help here. An observant employee might notice that sometimes the sending email address, such as Figure 1, is not in fact a .gov address, and the embedded links are not in fact .gov domains. Cofense Intelligence will continue to track these campaigns and provide up to date IOCs and rules allowing customers to track and predict similar campaigns. In fact, Cofense Intelligence recently posted about a campaign which used similarly advanced emails and copies of legitimate websites with an embedded “click to bid” link.

To download this report, click here.

Lampion Trojan Utilizes New Delivery through Cloud-Based Sharing

By Andy Mann and Dylan Main, Cofense Phishing Defense Center

Analysts at the Cofense Phishing Defense Center (PDC) have recently analyzed an email asking users to download a “Proof of Payment” as well as other documents. While it is important to never click on the link(s) or download the attachment(s) of any suspicious email, if the recipient interacts with the link, it downloaded the malware Lampion.

The Lampion banking trojan has been around since 2019, but this is the first time it has been analyzed by the PDC. While it has not yet been determined who exactly is behind the malware, it is known for using a VBS loader. Fortunately, threat actors have been spotted by PDC analyst using a new form of delivery for that very VBS file. Using the trusted cloud platform used for payments, WeTransfer, threat actors are attempting to gain the trust of users while taking advantage of the service provided by the popular site. By leveraging a trusted payment site, it’s not surprising to see threat actors align their email message for this process. A well-conditioned user quickly reported this email that mitigated the threat of the malware infection.

Figure 1: Email Body

English translation: Good afternoon, I send proof of payment and documents on the link: hXXps://we[.]tl/t-pNvQIG8UJS I subscribe with high esteem and best regards

In Figure 1, the threat actor used a very simple email message to engage the recipient. The strongest tactic taken would is spoofing a legitimate company, which could potentially be a result of compromised credentials. The email sent to the recipient is sent a proof of payment and other documents, which are accessible at the URL hXXps://we[.]tl/t-pNvQIG8UJS. When the recipient interacts with the URL they are directed to the page where they can download a ZIP file containing the documents referenced in the email.

Figure 2: Contents of the ZIP File
Figure 3: Strings from the First Wscript Process
Once the ZIP file is downloaded, its contents can be extracted to reveal a folder containing the two files seen in Figure 2. The VBS file, Comprovativo de pagamento de fatura_517-TEG_22-08-2022 20-09-24_28.vbs, is the file of concern as this launches the script, to lead the malicious process. Next, it will initiate a wscript process. Analyzing the strings in the memory of this process will result in finding references to two different VBS files, seen in Figure 3. This initial process created these files in the AppData\Local\Temp and AppData\Roaming directories. There are four VBS files created in total, each with random letters as a filename. The scripts in AppData\Roaming are less relevant. One file appears to be empty or was deleted during the process while the other is small with minimal functionality. The script, xjfgxhakusp.vbs, in AppData\Local\Temp is far more important.

 

Figure 4: URLs Leading to DLLs
While there are two VBS files in AppData\Local\Temp, the smaller script is only meant to initiate the other, larger script, xjfgxhakusp.vbs. It is a strange extra step taken by the threat actor. Upon running the larger script, another wscript process is initiated. This second wscript process reaches out to the two payload URLs in Figure 4. Both download the final DLL files. The bottom URL will download a password protected ZIP which holds the DLL, but the password is hardcoded into the malicious process itself. The DLLs are then finally injected into the memory. As a banking Trojan, the Lampion mainly looks to steal the targets valuable information.

While email security continues to evolve to protect the organization, threat actors are constantly looking for opportunities to land in the inbox. This is why it is critical to provide your users with simulations aligned with the latest threats. Customers of the Cofense PDC can ease or confirm their suspicions by reporting suspicious emails to the PDC where an analyst will analyze the email for emerging threats. Contact us to learn more.

 

Indicators of Compromise IP
hXXps://we[.]tl/t-pNvQIG8UJS 13[.]249[.]39[.]48
hXXps://wetransfer[.]com/downloads/d8c6430f0c15ee79cb72ea2083f4a07420220830135534/b872b1 108[.]128[.]47[.]24
hXXps://aculpaedopt[.]s3[.]us-east-2[.]amazonaws[.]com/soprateste.zip?=ttvuawzgbpiqawlaarfnlxatyebabbwpriceiqupxmmzuix 52[.]219[.]104[.]24
hXXps://aculpaedopt[.]s3[.]us-east-2[.]amazonaws[.]com/oftvwaiyg?=wiyjxpnveuzmgakjpgcjitnjwxaizzzbzmibklzkokxitcgpmso 52[.]219[.]177[.]178

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Why Phishing Simulation Programs Aren’t Enough

Author: Tonia Dudley

Report after report continue to highlight phishing as the top threat hitting organizations today, leading either to an incident or data breach. The most recent report published by IBM, report both Business Email Compromise (BEC) and Phishing as the leading cost of a data breach. In our recent webinar, we discussed various factors to consider in your email security program related to phishing well beyond the basics of phishing simulation.

For those that missed our webinar, below are three key insights that we discussed as ways to address ransomware as an organization.

During the webinar, we highlighted one of our recent blogs that allowed a customer to experience the ROI on their recent Vision implementation and enabling the auto-quarantine feature. With just a few users reporting this email to our Phishing Defense Center (PDC), the team was able to find another 130 emails which were automatically removed from inboxes company wide.

Key Takeaway #1 – Why we pioneer phishing simulation methodology

As organizations continue to mature their phishing defense program, there’s often many questions around how much, how frequent and when can we stop. We discussed the reason for creating a safe place for the user to experience the threat in the same place they manage their email. We highlighted several do’s and don’ts as you run your program, including the reason to align simulations to the threats your organization is experiencing.

Key Takeaway #2 – Metrics that matter to your Phishing program

Your phishing program is more than your simulation click rate. For years we’ve stressed the importance of focusing on the number of users reporting. Even more critical is combining this data with your real phishing threats. Are you looking at your program holistically to ensure you’re measuring what matters? Are you able to articulate to leadership the value you’ve invested in making sure your organization is protected against a phishing incident? Measure the time the email hits the inbox, beyond the user reporting it, to closing the ticket after full remediation of the phish (password resets, network block and end point scans or rebuild).

Key Takeaway #3 – Not everything needs to be a simulation template

There are times when a threat emerges quickly, or a sensitive topic is being used in a real phishing campaign. This is when its critical to get the word out to your users to stay on alert. This is best done using a simple newsletter with images of the real phish.

For additional insights from our 2022 Annual State of Phishing Report webinar series:

Compromised Microsoft Dynamic 365 Customer Voice account used for Phishing attack

By Nathaniel Sagibanda, Cofense Phishing Defense Center

Customer feedback is always important for organizations of all sizes. There are several well-known companies that offer different kinds of feedback tools. But what if, however, those customer feedback systems were utilized to launch Phishing attacks? The Phishing Defense Center (PDC) has observed an interesting technique in which a threat actor sends a spoofed eFax notification using a compromised Dynamic 365 Customer Voice business account to lure the recipient into credential phishing.

These credential phishing emails have been broadly disseminated, with no specific industry targeted. The campaign has hit dozens of companies in multiple sectors, including energy, financial services, commercial real estate, food manufacturing, furniture, data analytics, and professional services.”

The phishing email, as seen in figure 1, claims the recipient has received a “10-page corporate eFax”, which is a familiar tactic to lure interaction with the email. There are several interesting clues in this email that most likely encourage the recipient to quickly report. Starting at the top of the email with subject, which doesn’t seem to align with the rest of the email. The recipient most likely opened message expecting see a message related to a document signature need. However, that isn’t what we see as you read the message body. It leads the recipient to believe they received file attached via the ‘Attachment File Type: pdf’, without an actual file name 🤷🏻‍♀️, delivered from the fax. Continuing further down the email, we see a footer that indicates this email was generated from a survey site.

Figure 1: Phishing Email
When the user clicks the link, they are directed to Customer Voice survey made to look like an eFax solution page with a reasonable layout, as seen in Figure 2. The URL confirms this is a Microsoft Dynamics 365 webpage (Figure 3). In an effort to further establish the credibility of the page, the threat actor uses the words “dynamic365” and “eFaxdynamic365”.

Figure 2: Phishing page
Noticeably, the threat actor embeds a video of eFax solutions for spoofed service details, instructing the user to contact “@eFaxdynamic365” with any inquiries. The “Submit” button at the bottom of the page serves as additional confirmation that the threat actor used a real Microsoft Customer Voice feedback form template and modified with spurious eFax information to entice the recipient into clicking the link (Figure 2), leading them to a Microsoft Login page (Figure 5) which then exfiltrates their credentials to an external URL.

 

Figure 3: Phishing Page
Figure 4: Successful “Submit” button
Figure 5: Phishing Page
The above phishing campaign may follow a well-known pattern, sent using a compromised account, for a well-known customer feedback platform, making it difficult to block and simpler to bypass the SEGs to reach users’ inboxes. By reporting these types of emails to the Cofense PDC, we can help our customers to identify new phishing email patterns and techniques.

 

Indicators of Compromise IP
hXXps[:]//ncv[.]microsoft[.]com/Om5CjXwiLj 13[.]107[.]213[.]40
13[.]107[.]246[.]40
hXXps[:]//flat[-]grass-5595[.]fo4ih28x[.]workers[.]dev/ 172[.]67[.]223[.]76
104[.]21[.]86[.]177
hXXps://customervoice[.]microsoft[.]com/Pages/ResponsePage.aspx?id=nCCZRTFE60iThCT0-CyieVKNxvcj-eRNqzjVwMLt3aRUOTk5MVFaVTVWWVhCWlZSTVdENFcwUTFXRS4u&vt=4599209c-4431-48eb-9384-24f4f82ca279_f3160b43-dee8-41a8-baa7-ee24dfe7d977_637957430290000000_NAM_Hash_VhCr4kw%2bu%2b9Bs4OXTHvEBa9jcvcs3Iiq4GIiWXPncAI%3d&lang=en-us 13[.]107[.]246.69
13[.]107[.]246.70
13[.]107[.]227.40
13[.]107[.]219.40
13[.]107[.]213.51
13[.]107[.]213.70
13[.]107[.]246.57
13[.]107[.]246.18
hXXps://jaqeuhyimhbi[.]diskstation[.]org/mintreurple/libscoreassets.php 103[.]187[.]146.165

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cofense Increases Efficiency and Visibility with Triage 1.25

With Triage 1.25, SOC teams can now supercharge their efficiency through automation, enhanced reporting, and revamped response templates to more quickly to fight back against today’s evolving threats. Here’s the breakdown of what that looks like in action.

Automate More Easily with Triggers

Playbooks, introduced in Triage 1.24.0, let you perform a reusable set of actions on a reported email or cluster of emails with a single button click. Now, automate your playbooks with triggers. When a report meets the conditions you specify in the trigger, the trigger runs your desired playbook automatically! This means less clicks and manual effort when it comes to triaging malicious emails and sending automated communications to your end users. It also means that deep YARA rule writing skills are not needed to write triggers, making it easy for any SOC team member to get into and begin using Triage quickly.

To create a trigger, you simply select one or more of the following conditions and then build the trigger around it. Analysts leverage a combination of conditions that make sense based on the type of attack, threat vector, what’s common to their industry, or more.

  • Report Content
  • Reporter Reputation
  • Reporter VIP Status
  • Risk Score
  • Rule Match
  • Rule Priority
  • Rule Count
  • Threat Indicator Value
  • Threat Indicator Count


Active Triggers Dashboard
Triggers and Playbooks allow you more flexibility and granularity when it comes to automating actions across Triage and teams. As a result, our recipes function will be sunset as Playbooks offer much deeper functionality. Not to worry though, we’ll give plenty of notice and even added a button so you can begin to convert your Recipes to Playbooks.

Enhanced Reporting

We released Dynamic Reporting in the Summer of 2021 and continue to build on our strong reporting foundation with more flexibility when it comes to building and distributing reports. The templates that generate dynamic reports are now more robust, with new sections and more options to help you format and refine the data in your output. We’ve also added PDF support so you can distribute reports to any user in an easy to consume format.


Add or Remove Sections and build a bespoke Report

Best practice categories and response templates

The default set now contains six malicious categories and five non-malicious ones. These new defaults reduce the need for customization and better reflect current phishing trends we are seeing in the field. These fields help prevent confusion and allow SOCs to more quickly understand what threats they are seeing.

And due to popular demand, we are bringing back a workflow called “Categorize Reports.” You can still use the new, quicker way to start workflows, but we wanted to bring more options for our users.

To learn more about Cofense Triage or to see these new capabilities in action, please request a demo at https://go.cofense.com/live-demo/. Cofense Customers can always reach out to their CX team for more information on upgrading.

*Please note: Customers must be Triage versions 1.24.0 or 1.24.1 in order to upgrade to 1.25.0*

Ransomware Themed Phishing Attack

Countdown Timer: Ransomware Themed Phishing Attack

By Adam Martin, Cofense Phishing Defense Center

The Phishing Defense Center (PDC) observes a large variety of phishing techniques and lures throughout our customer base. Some of those techniques are quite unique methods of getting the end user to interact with the message. As illustrated below in Figure 1, the recipient is advised about a suspicious login, alluding to login location issues, and is offered a solution in the form of email verification. The name of the proposed security software company “DNS Domain Name Server” is vague enough but “tech” sounding enough to convince the unsuspecting recipient that this could indeed be their native security service.

Figure 1 Initial Email

What sets this phish apart from other campaigns is the graphic displayed to the recipient once the malicious link is accessed. For the purposes of this example, fake information has been provided to the hosting server.

Figure 2 Example Email Address

Once accessed, the page shown in Figure 3 is displayed. The page runs in a loop with randomly generated names assigned to the domain based off the target company’s domain. Sharing some similarities with ransomware, the target company is faced with a countdown timer and the choice of stopping the deletion of potentially companywide email access or entering their credentials. The timer also shares ransomware type panic creation all designed to push the recipient into entering their credentials without second guessing. These details aren’t deleted and a merely randomly generated as part of the scare tactic. Much the same as a ransomware “timer” for permanent file deletion should the ransom not be paid.

Figure 3 Ransomware style note displayed

As is the normal case with phishing incidents, once credentials have been provided by the recipient, one of two actions generally take place. The password “input” box will return “wrong password” with the details posted to the C2 address. Alternatively, you’ll be redirected to a new page along the lines of “validating” the account, which will eventually revert to the homepage of the target organization, as seen in Figure 4. In this case, after several different variations of “validating, checking, confirming” the user was ultimately redirected back to their own company’s home page.

Ransomware Themed Phishing Attack

Figure 4 Validation loop

Indicators of Compromise IP
hXXp[:]//nameserversecurity[.]com/[account]_[verification.php]?cust_mail 199[.]188[.]205[.]252

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results. 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.