Phishes Found in Proofpoint-Protected Environments – Week Ending May 31, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We have observed a number of attacks leveraging password protections on attachments and their macros, a tactic that has been successful for years.

TYPE: Malware – Remote Manipulator System

DESCRIPTION: Software update-themed emails spoof a travel company to deliver a .txt file containing a URL which recipients are encouraged to visit. The URL downloads a malicious Remote Manipulator System sample. Cofense analyzed RMS almost a year ago.

TYPE: Credential Theft

DESCRIPTION: Spoofing the videoconferencing platform Zoom, this phish delivers an attached html file that holds a phishing link. The victim is led to a phishing page spoofing Microsoft Outlook designed to steal credentials. Phishing attacks are taking advantage of the uptick in Remote Work to trick victims into clicking.

TYPE: Malware – Ursnif

DESCRIPTION: Finance-themed campaign delivers an attached, malicious Microsoft Excel file. Within the file, password-protected macros deliver Ursnif to the victim’s computer. Cofense published an analysis of Ursnif back in 2017.

TYPE: Credential Theft

DESCRIPTION: Finance-themed emails deliver attached .xlsx files containing links to a SharePoint page hosting another .xlsx file with a link leading to a credential phishing page with a “Office 365 Buisness” banner at the top and has categories for creds to O365, Outlook, AOL, Gmail, Yahoo, and “other mail”.

TYPE: Malware – Valak

DESCRIPTION: Response-themed emails deliver attached password-protected archives containing Office macros, which we have been reporting on since 2011. The Office macros download a binary which drops the first stage of a Valak malware downloader infection. Valak then downloads a plugin manager binary.

TYPE: Malware – NetWire

DESCRIPTION: Request-themed emails spoof well-known vendors to deliver an attached .xlsb file with password-protected Office macros which download GuLoader. GuLoader then downloads the NetWire Remote Access Trojan.

TYPE: Credential Theft

DESCRIPTION: This Coronavirus-themed phish spoofs Microsoft Outlook promising an upgrade to gain access to a “Covid-19 employee tracker”. The link leads to a credential phishing site which exfiltrates stolen credentials to a legitimate URL. Attackers continue to leverage the COVID-19 pandemic to lure victims.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishers Cast a Wider Net in the African Banking Sector

By Elmer Hernandez, Cofense Phishing Defense Center (PDC)

The Cofense Phishing Defence Center (PDC) has uncovered a wide-ranging attempt to compromise credentials from five different African financial institutions. Posing as tax collection authorities, adversaries seek to collect account numbers, user IDs, PINs and cell phone numbers from unsuspecting customers.

One such email, which was found in environments protected by Proofpoint and Microsoft, alleges to come from the South African Revenue Service’s (SARS) eFiling service. It claims a tax return deposit of R12,560.5 (South African Rands), approximately $700 USD, has been made to the user’s account and urges them to click on their financial institution in order to claim it. The real sender of the email, however, appears to be a personal Gmail address that may have been created or compromised by the adversaries.

Figure 1 – (Partial) Email Body

As seen in Figure 2, it is erroneously assigned a score of zero in Proofpoint’s “phishscore” metric.

Figure 2 – Proofpoint Header

Dragging and Dropping a Net

Each of the images embedded in the email corresponds to a different bank. Clicking on any of these will take the user to a spoofed login portal corresponding to the selected bank. The spoofed banks include ABSA, Capitec, First National Bank (FNB), Nedbank and Standard Bank, all of which are based in South Africa. The lookalike sites are located at 81[.]0[.]226[.]156 and hosted by Czech hosting provider Nethost. It should be noted that, at the time of analysis, only the site for Standard Bank was unavailable. Figures below -6 show the phishing portals imitating each bank.

Figure 3 – ABSA

Figure 4 – Capitec

Figure 5 – FNB

Figure 6 – Nedbank

All spoofed portals were created using Webnode, a website building service known for its friendly drag and drop features. Despite this ease of use, adversaries have kept things rather simple, as all portals are basic forms with a few or no images. The portals ask for a variety of personal information, including account numbers, passwords, PINs and even cell phone numbers.

Adversaries can access all entries directly from the form itself. They can also receive notifications to an email address of their choosing every time a submission is made; the Gmail account used to send the phishing email may also be where adversaries are notified of each and every new victim. Webnode also allows the export of form submission data in xml and csv formats.

Webnode therefore is an optimal way to store and retrieve stolen user data. There is no need for additional infrastructure, nor to compromise any third parties. As in the case of the Standard Bank portal, the risk of discovery and subsequent closure of spoofed sites means adversaries can lose access to any unretrieved information. However, this risk seems to be offset by the ease with which replacement spoofed sites can be created.

IOCs:

Malicious URLs:

  • hxxps://absa9[.]webnode[.]com
  • hxxps://capitec-za[.]webnode[.]com
  • hxxps://first-national-bnk[.]webnode[.]com
  • hxxps://nedbank-za0[.]webnode[.]com
  • hxxps://standardbnk[.]webnode[.]com

Associated IPs:

  • 81[.]0[.]226[.]156

 

How Cofense Can Help:

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence™. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 38237 and a YARA rule.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 24, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.   

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s examples see the continued use of macro-laden Microsoft Office documents, which have been a top delivery mechanism of malware for years.

TYPE: Malware – QakBot

DESCRIPTION: Response-themed emails deliver embedded URLs to VBS scripts to download the QakBot banking trojan. Because the phishing email is a reply to a legitimate chain, these attack URLs are often skipped by URL protection methods.

TYPE: Malware – Pyrogenic

DESCRIPTION: Finance-themed emails deliver embedded URLs to JAR files to download the Pyrogenic Stealer. Though obfuscated, the stealer’s code is rather straight forward, and yet frequently avoids detection.

TYPE: Credential Theft 

DESCRIPTION: Finance-themed emails a management company to deliver embedded OneNote links. The OneNote page contains different versions with links pages crafted to steal credentials. Hosted OneNote notebooks are becoming more popular in phishing attacks.

TYPE: Malware – FormGrabber

DESCRIPTION: Order-themed emails spoofing a vendor delivers the FormGrabber malware via a CVE-2017-0199 to CVE-2017-11882 download chain. This phishing campaign is included in Cofense’s free COVID-19 YARA Rules.

TYPE: Malware – NanoCore

DESCRIPTION: Finance-themed emails deliver an embedded DropBox link to a 7z archive containing the GuLoader executable. Once clicked, the GuLoader downloads and executes NanoCore RAT from Microsoft OneDrive.

TYPE: Credential Theft 

DESCRIPTION: Document-themed emails deliver embedded Google Cloud Storage (GCS) links. The links harvest email login credentials and exfiltrate to a non-GCS location.

TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed emails spoof the United Kingdom government and HRMC to deliver embedded URL shorteners from tinyurl and is[.]gd. The URL shorteners redirect to a phishing URL that uses disc[.]us and appears to allow you to ‘claim your tax refund’. The phishing URL harvests personal information, credit card and issuer details.

TYPE: Malware – TrickBot

DESCRIPTION: Coronavirus-themed emails deliver an attached Excel spreadsheet which exploits CVE-2017-11882 and includes an Office Macro, both of which are used to drop and run a VBS script. This script then downloads and runs TrickBot.

TYPE: Credential Theft

DESCRIPTION: Voicemail Notice-themed emails deliver an embedded link to a credential phishing landing page that is spoofed to look like a Microsoft Outlook sign in page.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Chronology of COVID-19 Phish Found in Environments Protected by Proofpoint During the Pandemic

Cofense was one of the first to report on the risk of COVID-19 themed phishing threats and launched its Coronavirus Infocenter on March 12, 2020. Since that time, we’ve seen no slow down. Every day we see new examples. And while the tactics and schemes may differ, one thing remains consistent: phishing attacks are bypassing secure email gateways, and gateways are not stopping the attacks.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

SEE THE PHISHING THREATS THAT ARE SLIPPING BY YOUR EMAIL GATEWAY
FREE FOR 90 DAYS!

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the Cofense Phishing Defense Center (PDC) found in environments protected by Proofpoint – detected by humans, analyzed with Cofense Triage, and quarantined by Cofense Vision.

Email Examples

A Credential Phish promising information about a COVID-19 vaccine that includes .png attachments and delivers a URL leading to a sharepoint.com site.

March 19, 2020

A spoofed email pretending to be from the World Health Organization delivers a malicious URL.

March 23, 2020

A Credential Phish crafted to look like a Dropbox-hosted document actually leads to storage.googleapis.com. Cofense has seen Dropbox phish since 2014.

Another Credential Phish that spoofs an organization’s Human Resources department and delivers a link to a login page designed to steal corporate credentials.

A Credential Phish crafted to look like a corporate communication provides a link to hb-bonusclaim.com and a login page designed to steal corporate credentials.

March 24, 2020

A Credential Phish with an apparent PDF attachment is actually an image linked to a Microsoft Sway-hosted page and eventually to a page designed to steal corporate credentials. Sway usage in phishing campaigns has been increasing.

March 26, 2020

A Credential Phish that appears to be a voice mail with a COVID-19 message but leads to a URL hosted on samsungusa.com.

March 29, 2020

A Credential Phish containing a link to a Dropbox-hosted resource, supposedly a PDF document, but that leads to a web page designed to steal corporate credentials.

March 30, 2020

Another Credential Phish requesting payment and prompting for corporate credentials.

March 31, 2020

A Credential Phish using a Microsoft Word attachment that redirects the victim to a Microsoft OneNote document, eventually leading to a page designed to steal corporate credentials. Read more about the use of OneNote in phishing attacks.

Another Credential Phish, this one offering an investment opportunity but delivering a link that leads to a web page designed to steal corporate credentials.

A Credential Phish designed to look like a fax transmission delivers a link leading to a web page designed to steal corporate credentials.

April 1, 2020

A Credential Phish that spoofs Microsoft SharePoint but leads to a web page designed to steal corporate credentials. Phishing attacks using SharePoint continue to be a problem for all SEGs.

April 2, 2020

A spoofed email pretending to be the US Department of Health and Human Services delivers a password-protected malicious Microsoft Word document.

April 3, 2020

A spoofed email pretending to be the World Health Organization provides a link to innocentminds.com that leads to a web page designed to steal corporate credentials.

April 5, 2020

A spoofed email pretending to be a healthcare professional delivers a Microsoft Excel document containing ZLoader, a malicious loader first seen in 2016. Read how Cofense Triage stopped a ZLoader attack.

April 10, 2020

A spoofed email pretending to be Human Resources delivers a link to a Google Docs-hosted page that leads to the installation of TrickBot, a banking trojan developed in 2016 and still seen reaching inboxes.

April 13, 2020

Another phish leveraging Google services (FirebaseStorage), this one is a Credential Phish with a URL that leads the victim to a web page designed to steal corporate credentials. Read more about attacks leveraging Google infrastructure.

A Credential Phish spoofing Outlook (Microsoft) delivers a link to a godaddysites.com hosted page, leading the victim to a web page designed to steal corporate credentials.

April 14, 2020

A Credential Phish spoofing the National Health Service promises a document noting confirmed cases of COVID-19, but leads to a web page designed to steal corporate credentials.

April 15, 2020

A Credential Phish crafted to appear like a corporate communication that leads to a Microsoft OneDrive site. The link leads to a web page designed to steal corporate credentials.

A spoofed email pretending to be a business leader is actually an attempted Business Email Compromise (BEC), seeking to trick the victim into replying.

April 21, 2020

A Credential Phish spoofing the Internal Revenue Service and promising tax relief information hosted in DocuSign. The actual link leads to playdemy.org and leads to a web page designed to steal corporate credentials.

April 24, 2020

Another spoofed email that is actually an attempted Business Email Compromise (BEC) attack using a COVID-19 theme. BEC attacks have been growing for years and SEGs still aren’t blocking them.

April 25, 2020

Yet another BEC attempt, this time from a business executive using an email reply strategy and needing gift cards.

April 28, 2020

Another COVID-19 themed phishing attack, this one embeds an image that looks like PDF attachments but actually is linked to a website designed to steal corporate credentials.

Claiming to be a link to an electronic fax from “The Fax Team”, the embedded link actually leads to a website designed to steal corporate credentials.

April 29, 2020

More COVID-19 themed phishing attacks, this one providing a link to a trusted Dropbox source. The victim is led to a website designed to steal corporate credentials.

May 4, 2020

Spoofing the Internal Revenue Service, this phishing attack delivers an embedded link that leads to a website designed to steal corporate credentials. Read more in the Cofense Blog.

May 5, 2020

Another phishing attack using a Dropbox link to lead the victim to a website designed to steal corporate credentials.

 

May 6, 2020

This phishing attack spoofs the Public Health Agency of Canada and delivers a link that will lead the victim to a website designed to steal credentials.

  

Spoofing a well-known bank, this phishing attack purports to have a large file needing to be downloaded from a Microsoft Excel Document Portal but will lead the victim to a website designed to steal credentials.

  

Another spoof of the Public Health Agency of Canada, this one also delivers a link that leads to a website designed to steal credentials.

  

This phishing attack embeds an image that looks like email content. Clicking it leads the victim to a website designed to steal credentials.

  

May 7, 2020

Combining a COVID-19 theme with an emergency request by an executive, this Business Email Compromise attempts to lure the victim into purchasing gift cards.

  

May 8, 2020

Looking to capture Netflix credentials, this phish may take advantage of people’s propensity for password re-use, putting corporate credentials at risk. Netflix spoofs aren’t just for consumers anymore.

  

May 10, 2020

Another BEC, this one pretending to be the financial director, tricks the victim into sending the attacker outstanding invoices, which can be used in attacks against 3rd parties.

  

May 11, 2020

Another embedded image designed to look like attachments but actually lead to a credential-stealing website.

  

With some organizations offering a spam filtering service to their employees, phishing threat actors are taking advantage to mask their attacks as pending deliveries. This link, however, leads to a website crafted to steal credentials.

  

May 14, 2020

Cloud sharing platforms like Dropbox are often trusted by organizations and employees alike. This phishing attacks exploits that trust to direct the recipient to a malicious website designed to steal credentials.

  

Another phishing email that embeds an image designed to look like an attachment. Clicking the image takes the victim to a website designed to steal credentials.

 

May 18, 2020

This spoof of a financial “partner” is actually a Business Email Compromise attempt seeking to lure the victim into a financial transaction.

 

The problem of malicious emails evading secure email gateways is not going away. No perimeter control can keep up with the velocity of shifting techniques used by attackers. That’s why a well-conditioned workforce and a security operations team equipped with the tools needed to rapidly detect and quarantine threats is imperative.

Want to discover more about the phishing attacks your SEG is missing? Sign up for 3 free months of Cofense Intelligence, the best human-vetted phishing intelligence in the world.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 17, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.   

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint.  We note that the vast majority are Credential Theft attacks, which Cofense predicted would surge over 15 months ago. Today, they still remain a significant threat.

TYPE: Malware – Agent Tesla

DESCRIPTION: In 2019, Cofense Intelligence identified the Agent Tesla keylogger as a top phishing threat. 7 months later, this malware is still reaching inboxes. This example delivered an embedded URL, luring the victim with a purchase order.

TYPE: Credential Theft 

DESCRIPTION: Phishing threat actors love to leverage the trust that their victims and their SEGs place in online hosting platforms. This attack starts with a WeTransfer link that eventually steals email credentials via a Microsoft OneDrive-hosted file.

TYPE: Credential Theft 

DESCRIPTION: This attack takes a page from the spammer’s guidebook, seeking to obfuscate the sender address to slip through perimeter defenses. It spoofs Netflix to deliver a shortened URL leading to a phishing page.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing attacks are both popular and successful at reaching inboxes to victimize recipients. This phish takes advantage of familiarity with Microsoft Office365 trick victims into clicking the embedded link and giving up their email credentials.

TYPE: Credential Theft 

DESCRIPTION: Many organizations let their SEG filter questionable email and empower the recipients to review and allow or block. Crafty phishers spoof the concept to get their victims to click the links. These lead the victim to a website designed to steal their email credentials.

TYPE: Credential Theft 

DESCRIPTION: Another phish exploiting a trusted platform. This example spoofs the Adobe Document Cloud with an image linked to a website designed to steal Adobe login credentials.

TYPE: Credential Theft

DESCRIPTION: Using Coronavirus as the premise, this attack spoofs a legitimate bank informing the recipient that they need a new bank card. The attackers steal not only the victim’s banking credentials, but their address, phone number and PIN.

TYPE: Credential Theft 

DESCRIPTION: Have we mentioned attackers leverage trusted platforms? This phish offers a Microsoft OneDrive-hosted invoice in PDF form. It collects the victim’s login credentials and then sends them to a legitimate PDF hosted by the Federal Reserve.

TYPE: Credential Theft

DESCRIPTION: Yet another attack using Microsoft infrastructure – this time SharePoint – to host portions of the attacker’s campaign. This one is a hosted PDF leading to a web page designed to steal credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

MFA Bypass Phish Caught: OAuth2 Grants Access to User Data Without a Password

By Elmer Hernandez, Cofense Phishing Defense Center (PDC)

The Cofense Phishing Defense Center (PDC) uncovered a phishing tactic that leverages the OAuth2 framework and OpenID Connect (OIDC) protocol to access user data. The phish is not a typical credential harvester, and even if it was, Multi-Factor Authentication (MFA) wouldn’t have helped. Instead, it attempts to trick users into granting permissions to a rogue application. This is not the first time the tactic has been observed, but it’s a stark reminder that phishing isn’t going to be solved by Multi-Factor Authentication.

Using the lure of a Q1 bonus, the email is crafted to appear to be a normal invite to a SharePoint hosted file. The prospect of receiving an increase to their salary is an effective lure that can lead users to fall prey.

Figure 1 – Email Body

After clicking on the link, users are taken to the legitimate Microsoft Office 365 login page at https://login.microsoftonline.com (Figure 2). However, if one inspects the URL in its entirety, which average users are unlikely to do, a more sinister purpose is revealed.

Figure 2 – O365 Login Page

Anatomy of a URL

First, a quick primer: applications that want to access Office 365 data on behalf of a user do so through Microsoft Graph authorizations. However, they must first obtain an access token from the Microsoft Identity Platform. This is where OAuth2 and OIDC come in. The latter is used to authenticate the user who will be granting the access, and if authentication is successful, the former authorizes (delegates) access for the application. All of this is done without exposing any credentials to the application.

Figure 3 – Entire URL

The response_type parameter denotes the type of access being requested to the Microsoft Identity Platform /authorize endpoint. In this case, both an ID token and an authorization code (id_token+code) are requested. The latter will be exchanged for an access token which will, in turn, be presented by the application to Microsoft Graph for data access.

Next, the redirect uri parameter indicates the location to which authorization responses are sent. This includes tokens and authorization codes. As we can see, responses are sent to hxxps://officehnoc[.]com/office, a domain masquerading as a legitimate Office 365 entity, located at 88[.]80[.]148[.]31 in Sofia, Bulgaria and hosted by BelCloud.

Moving on, the scope parameter shows a list of permissions the user gives to the application (note “%20” represents a blank space). These allow the application to read (read) and/or modify (write) specific resources for the signed in user. If the “All” constraint is present, permissions apply for all such resources in a directory.

For example “contacts.read” enables the application to read only the user’s contacts, whereas “notes.read.all” allows it to read all OneNote notebooks the user has access to, and “Files.ReadWrite.All” to both read and modify (create, update and delete) all files accessible to the user, not only his or her own.

If the attackers were successful, they could grab all the victims’ email and access cloud hosted documents containing sensitive or confidential information. Once the attacker has sensitive information, they can use it to extort victims for a Bitcoin ransom. The same permissions can also be used to download the user’s contact list to be used against fresh victims. Using the address book and old emails would allow the attacker to create hyper-realistic Reply-Chain phishing emails.

Perhaps most concerning however is “offline_access” As access tokens have an expiration time, this permission allows the application to obtain refresh tokens, which can be exchanged for new access tokens. Therefore, users need only to authenticate and approve permissions once to potentially enable indefinite access to their data.

Finally, we find openid and profile which are technically scopes in themselves; openid indicates the application uses OIDC for user authentication, while profile provides basic information such as the user’s name, profile picture, gender and locale among others. This information, known as claims, is sent to the application in the ID token issued by the /authorize endpoint.

After signing in, the user will be asked to confirm one last time that he or she wants to grant the application the aforementioned permissions. If users fail to act, it will be up to domain administrators to spot and deal with any suspicious applications their users might have misguidedly approved.

The OAuth2 phish is a relevant example of adversary adaptation. Not only is there no need to compromise credentials, but touted security measures such as MFA are also bypassed; it is users themselves who unwittingly approve malicious access to their data.

Network IOC IP
hxxps://officehnoc[.]com:8081/office 88[.]80[.]148[.]31

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots of real phish that have evaded secure email gateway detection and other helpful resources so you can help keep your organization protected.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

New Phishing Scam Targets Teleworkers with Bogus Microsoft Teams Notification

By: Kian Mahdavi, Cofense Phishing Defense Center

With the influx of remote workers, it’s a perfect opportunity to flood people’s inboxes with malicious emails and fake links. The Cofense Phishing Defense Center (PDC) recently uncovered a phishing campaign that targets employees to harvest their Microsoft credentials. Ironically, the phish was found in an environment protected by Microsoft’s own secure email gateway (SEG). The phishing email, which was reported to the PDC using the Cofense Reporter button, included a well thought out “AudioChat” notification link supposedly from Microsoft Teams.

Teams is one of the most popular platforms for remote employees. Predictably, the threat actors have taken this into consideration – especially during the COVID-19 pandemic with millions of people teleworking. We expect this trend to continue with similar communication platforms.

Figure 1: Email Body of an official Microsoft Teams example notification

Figure 2: Email Body of illegitimate Microsoft Teams notification

Credit where credit’s due, we were impressed by the effort of the threat actor and their high-quality social engineering tactics. The subject line reads “Chat Message in Teams”- is this just an ordinary notification?

The email content has perfect similarities between Microsoft’s services; in particular, it incorporates matching font size and color as well as the overall layout. The email also includes the generic ‘tips’ section towards the bottom half of the message, evident above in Figure 2. However, there’s a catch: despite the solid efforts of the email content, there are a few tell-tale indications this is a phish. The most obvious sign is the sender’s lengthy spoofed email address:

matcnotification[.]teamadmin_audidsenderderweeu44we7yhw[@]ssiconstructionnw[.]com

The words “notification” and “teamadmin” have been skilfully included within the account name. But more importantly, the TLD – “ssiconstructionwn” – does not contain the all-important ‘Microsoft’ reference. No prize for guessing, it is a construction company located in Seattle, Washington that the attacker has spoofed. Since the TLD is from a legitimate source, not only does it pass basic email security checks, such as DKIM and SPF, but also provides HTTPS displaying the essential green lock to the left of the URL, located below in Figure 3 – a valiant effort on behalf of the threat actor.

On top of that, the text displays: “Teammate sent you an offline message.” Notice the message practices a generic word: “teammate” rather than the specific name of the sender. Contradicting itself, the email includes an initial (JC) of the supposed sender within the avatar, further hindering the legitimacy of the email and raising suspicion.

As mentioned above, the user is requested to click on the “16 second AudioChat,” and once hovered, displays the following link:

hXXps://us19[.]campaign-archive[.]com/?u=0dce22c9638fc90b5c17ea20a&id=6652f42d20

The user’s email address (now redacted) is embedded into the above URL. Companies often use various email protection solutions, and as a result, URLs are often packaged with security phrases. In this phishing campaign, the email contains the words “safelinks.protection” planted at the very beginning of the hover link. This could trip up inquisitive readers who might overlook the rest of the URL and click.

Figure 3: Initial Phishing Page

The phishing page above, where users are forwarded, adheres to Microsoft’s protocol (an almost picture-perfect replica); of course, we are overlooking the forged URL within the web-bar. Once ‘Open Microsoft Teams’ has been clicked, the user should have been automatically redirected to the Microsoft Teams application. Instead, the user is taken on a slight detour to the final link of this phishing attack:

hXXps://imunodar[.]com/wp-content/plugins/wp-picaso/Teams/

Figure 4: Secondary Phishing Page

Once credentials have been supplied, the campaign redirects the user to the authentic ‘office[.]com’ webpage, which could even be enough to assure users it was a genuine procedure. A user’s personal data could potentially be in the hands of the threat actor, assuming they logged in with their true Microsoft credentials.

Indicators of Compromise:

Network IOC IP
hXXps://us19[.]campaign-archive[.]com/?u=0dce22c9638fc90b5c17ea20a&id=6652f42d20
hXXps://imunodar[.]com/wp-content/plugins/wp-picaso/Teams/
104[.]118[.]190[.]227

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots of real phish that have evaded secure email gateway detection and other helpful resources so you can help keep your organization protected.

 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Keeping You Ahead of Phishing Attacks with SEG-Evasion Based Threat Intelligence

By Mollie MacDougall

As much as the phishing threat landscape continues to evolve and innovate, older phishing tactics continue to provide easy wins for threat actors and reach end user mailboxes. At Cofense, we see a mix of new and unique phishing campaigns as well as those that leverage tactics, techniques and procedures (TTPs) that have been around for years.

Cofense has long been dedicated to confronting the painstaking truth that secure email gateways (SEGs) cannot and do not protect against all types of phishing attacks all of the time, no matter how ‘advanced’ their ML, AI or other detection models. There is always a balance between protection and ensuring potentially legitimate emails, critical to daily business operations, are not blocked. While SEG vendors, such as Proofpoint, Microsoft, Symantec, and Mimecast (to name a few) are constantly playing whack-a-mole in a reactionary manner to new and innovative tactics used by attackers, it is next to impossible for them to block and defend against attackers that continue to use known and legitimate services.  This is a truth that attackers know and exploit every. single. day.

This is why we have worked with organizations across all sectors and regions to identify, report, and action phishing campaigns that successfully reach inboxes. Whatever the size or focus of your business, you are unfortunately a target of phishing threat actors.

And while it is true that no silver bullet network defense technology exists to solve the problem of phishing, there are steps that we can take to ensure that we are proactively defending against emerging phishing threats.

Cofense Intelligence provides organizations that visibility—specifically focusing on the phishing campaigns and tactics, techniques and procedures that are successfully evading secure email gateways and other perimeter defense technology to reach the employees they target.

At its core, threat intelligence is simply a decision-making tool for any organization. What network communications do we need to block? What malicious domains should our users never visit? How are threat actors deploying malware onto compromised systems, and how can our team ensure those delivery tactics are prevented or neutralized? It must be reliable, it must be relevant, and it must be actionable. These are the primary values underpinning Cofense Intelligence.

Our focus on phishing threats ensures our expertise. By prioritizing campaigns that are evading SEGs, we ensure that Cofense Intelligence is relevant and of high value to our customers. In vetting our intelligence – down to every individual indicator of compromise we send – we provide a feed that you can trust. And by delivering our intelligence by API, it can be easily consumed into the technology you already have and use to monitor your networks for suspicious activity, ensuring our intelligence is actionable.

We endeavor to support your organization’s phishing defense at every level, and we provide a range of strategic and trend-based reports to help you align your resources to combat the threats most likely to target your organization. As our analysts constantly analyze new phishing campaigns, we send verified campaign-based Intelligence via our API feed daily, helping you stay ahead of the threats as they evolve.
Cofense is currently offering 90 days of free access to Cofense Intelligence to eligible1 organizations. To sign up, visit: https://cofense.com/free-access-intelligence/

1Eligibility requirements include, but are not limited to: the organization has not been a Cofense Intelligence customer within the past six months; the organization uses one of the following platforms – Anomali, EclecticIQ, RecordedFuture, ThreatConnect, ThreatQ, QRadar, Splunk, Demisto, Swimlane, Phantom, Minemeld.

Phishes Found in Proofpoint-Protected Environments – Week Ending May 10, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically quarantined by Cofense Triage and Cofense Vision.  

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.   

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint.  

TYPE: Credential Theft 

DESCRIPTION: Finance-themed phishing attack delivering an embedded link to a website designed to look like a webmail portal that attempts to steal email .

TYPE: Credential Theft 

DESCRIPTION: Invoice-themed phishing attack delivering a PDF which leads to a Microsoft SharePoint-hosted Excel spreadsheet, which then attempts to steal email credentials.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-theme phishing attack delivering a Dropbox link to a PDF that eventually leads to a website that attempts to steal email credentials.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing attack spoof the IRS delivering an embedded link that leads to a website designed to steal Adobe login credentials.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-theme phishing attack delivering a Dropbox link to a PDF that eventually leads to a Google Docs-hosted page that attempts to steal email credentials.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing attack delivering a .HTM attachment which leads to a website designed to steal Microsoft email credentials.

TYPE: Credential Theft

DESCRIPTION: Security warning-themed phishing attack delivering an embedded link spoofing Twitter that leads to a website designed to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Coronavirus-themed phishing attack spoofing a public health agency and delivering an embedded link that leads to a website designed to steal credentials.

TYPE: Credential Theft

DESCRIPTION: Coronavirus-themed phishing attack spoofing a bank and delivering an embedded link designed to look like a shared document but attempts to steal credentials.

TYPE: Credential Theft 

DESCRIPTION: Document-themed phishing attack delivering a link designed to look like a Microsoft SharePoint-hosted document but leads to a page that attempts to steal Microsoft credentials.

TYPE: Credential Theft

DESCRIPTION: Notification-themed email that spoofs Microsoft Outlook delivering an embedded link that leads to a website designed to steal Microsoft credentials.

TYPE: Credential Theft 

DESCRIPTION: Document-themed phishing campaign spoofing a construction design and build organization delivering embedded Microsoft OneNote links that lead to a website crafted to steal email credentials.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack.

Recommendations

Cofense recommends that organizations train their personnel to identify and report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

A Not So Relieving Tax Relief Email: Threat Actors Take Aim at US Stimulus Efforts

By Ashley Tran, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest a variety of email credentials specifically from United States citizens.

Countries all around the world are providing relief programs to their citizens to help alleviate the financial strain as a result of the COVID-19 pandemic. This threat actor, however, targets US relief efforts and the citizens who need it most. This email campaign uses the logo of the Internal Revenue Service (IRS) to bolster its credibility.

Figure 1: Email Preview

The threat actor made both the subject and sender information eye catching, as seen in Figure 1. The email appears to be from ‘IRS GOV’ regarding the subject “Tax Relief Fund,” which would be enough to gain the attention of anyone, especially those who may not have received their relief or need more. Upon clicking into the email, users are presented with the following message, as seen in Figure 2 below.

Figure 2-3: Email Body

Despite the image missing from this email sample, assumed to once have been a DocuSign logo based on the image description, the email may appear legitimate at first glance. The IRS has sent a secure document via DocuSign along with a security code to view it, but it must be used soon as it will “expire.” The email is also marked “High Importance.”

A closer look at the body of the email reveals many warning signs this email is a phish. Anyone acquainted with DocuSign would know this is not what an invitation from the service looks like. Not to mention there is odd spacing and capitalization found in the text – atypical for professional emails. There is also mention of a security code that must be used “before expiration,” a common social engineering tactic used to illicit a sense urgency.

The link found in the email, “View Shared Folder,” redirects users to the phishing site located at:

hxxp://playdemy[.]org/office/doc-new

Figures 4-5: Phishing Page and Confirmation Page

Figures 4-5 are examples of the first page users will see upon navigating through the link found in the email. The page is a simple DocuSign page prompting for the user’s email address in order to access the promised document. Visually there aren’t many differences compared to DocuSign’s website, other than the incorrect URL displayed in the address bar. However, the threat actor may have intentionally used a .org-based domain to make it appear safe, as many end users have heard .org top-level domains are “secure.”

Should a user proceed to enter their email address on this page, they are prompted once again to verify the information before being redirected to the next step of this attack.

Figures 6-7: AOL login page

The next step involves redirecting users to a phishing page based on their email provider. In Figures 6-7 above, we used a dummy AOL email and were redirected to an AOL phish. The attacker’s AOL login page rivals the look and feel of AOL’s — the only real difference is the incorrect URL in the address bar. The email entered in the first step is already pre-filled as well. This same occurs with other email providers inputted into the first step of the attack. Figures 8-10, for example, show the Gmail phish that users are redirected to if that was the email provider they entered.

Figures 8-10: Alternative Gmail Phish

Should a user enter an email address to proceed this far, the threat actor has made sure to ask for further compromising information, as seen in Figure 10: a recovery number or recovery email address per their back-up login information.

Figure 11: Final Destination

Regardless of the email address, and should the user enter this information, users are then redirected to an unexpected document; in lieu of the promised “Tax Relief Fund,” they see a completely unrelated academic paper hosted on Harvard Business School’s website. This is a common tactic, designed to confuse users into thinking there is nothing amiss, that perhaps this was a mistaken exchange or they received the wrong document in error and must wait for further contact.

Further analysis of the website utilized for this attack yielded further information on the attack and the actors behind it.

Figure 12: Open Directory

Upon navigating to the main domain, as shown in Figure 12, an open directory appears. While the file Chetos.php is password protected at present, the file 039434.php exposes a greater security threat that can be observed in Figure 13, a web shell.

Figure 13: WebAccess Shell

The beginnings of a malicious web shell start with an attacker methodically installing the malicious script for the shell on the targeted site, either by SQL injection or cross-site scripting. From there the web shell is utilized by attackers to maintain persistent access to a compromised website without having to repeat all the work of exploiting the same vulnerability they used the first time – generally, a backdoor. They can remotely execute commands and manage files that they abuse to carry out their attacks, such as a phishing attack.
As observed in Figure 13, investigation of the shell reveals files from the open directory are displayed, last modified 2020-04-24 by “owner/group” “njlugdc”, otherwise known as the attacker. The real guts of this attack, however, can be found within the directory path office/doc-new seen in Figure 14.

Figure 14: office/doc-new Directory

Within the directory are the many steps in what appears to be a simple phish. There are multiple email branded folders such as “a0l”, “earthl1nk”, “gma1l,” all of which help the threat actor target email clients. Each of these email branded folders host a phish that is specifically tailored to that brand, allowing for a more “authentic” experience that lull users into a sense of security.

Figure 15: Code Behind the Attack

Figure 15 demonstrates the code behind the attack that sanitizes user input to determine which of these phish a user is redirected to, along with the associated email brand logo to display during the redirect process.

Figure 16: Threat Actor Emails Exposed

Within the files contained in this web shell, the threat actor’s emails are displayed. Figure 16 shows the code of the Email.php file and information exfiltrated from users during the phishing attack that are sent to:
techhome18[@]gmail[.]com
we.us1[@]protonmail[.]com

Although the identity of the attacker behind this IRS phish is unknown, it is evident they took care to carefully craft this attack and chose to exploit a current event that is closely followed by Americans in an attempt to successfully steal as many log-in credentials as possible.

Network IOC IP
hxxp://playdemy[.]org/office/doc-new 206[.]123[.]154[.]15

 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.