Phish Found in Proofpoint-Protected Environments – Week Ending August 30, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week’s sampling focuses on our finances, with payments, invoices, and taxes luring recipients to click. Organizations with solid awareness and reporting programs reap the benefits of human intelligence that technology can’t match.

phishing example uses a finance theme to perform credential theft using a .html attachment

TYPE: Credential Theft

DESCRIPTION: Everybody wants to get paid. And when an email arrives with a confirmation request, how can you resist? Fortunately, the recipient of this phish did resist. They reported it and protected their credentials, as the attached HTML file was spoofing a Microsoft login page.
Humans – 1
Technology – 0

phishing example uses a shipment theme to deliver loki bot with a linked image

TYPE: Malware – Loki Bot

DESCRIPTION: Looks like an invoice. Sounds like an invoice. It’s not an invoice. This phish embeds an image that only looks like an invoice, but actually links to GuLoader, which will install Loki Bot. Cofense has been seeing Loki Bot for over 3 years.

phishing example uses an invoice theme to deliver a link to the bazarbackdoor malware

TYPE: Malware – BazarBackdoor

DESCRIPTION: Talk about bizarre. Or, in this case, Bazar. This phishing attack tells us we’re tardy on our payments and sends us to a macro-enabled Microsoft Office document hosted on Google Docs. From there, the macros install the recently discovered BazarBackdoor, believed to be the work of the same developers as TrickBot. Once again, human intelligence delivers where technology falls short.

phishing example uses a linked image to deliver async remote access trojan

TYPE: Malware – Async RAT

DESCRIPTION: And still the payments flow. In this case, a simple banking confirmation using a linked image with a GuLoader to Async Remote Access Trojan attack chain. The creator of this malware – NYANxCAT – is a threat actor Cofense has discussed in the past.

phishing example uses a tax theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: They say nothing is certain but death and taxes. We’d still rather receive an email notification of the latter over the former. In this case, though, our relief is short-lived, thanks to a credential harvesting attack hosted on Microsoft OneDrive.

phishing example uses an accident report theme to perform credential theft with a .html attachment

TYPE: Credential Theft

DESCRIPTION: Accidents happen, and when they do, lawyers can be of great assistance. This phishing attack posing as an accident report from a lawyer is an accident waiting to happen, however. The attached HTML file is designed to steal Office 365 credentials. Another near miss, thanks to an attentive human.

phishing example uses a finance theme to deliver a malicious ppsx attachment with an embedded url

TYPE: Malware – URL

DESCRIPTION: Here’s an excellent example of a reply chain that really makes the attack look like a legitimate email thread. We may not even notice the attachment is a Microsoft PowerPoint Show – an odd way of requesting payment. Again, technology didn’t pick this up, but an astute human did. Better luck next time, Skynet!

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Sample phish uses a shipping theme to deliver a credential stealing link

Phish Found in Proofpoint-Protected Environments – Week Ending August 23, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. With a preponderance of XXE attachments being used to reach inboxes, organizations would be best served by restricting these attachments manually as well as inventorying their archive management tools, such as WinRAR, to assess their risk.

sample phish uses an embedded image linked to agent tesla

TYPE: Malware – Agent Tesla

DESCRIPTION: This German-language, quote-themed phish uses a linked image that looks like a quote but leads to the Agent Tesla Keylogger. Cofense has written about the commercialization of Agent Tesla, bringing malware to the masses.

Sample phish uses a shipping theme to deliver a credential stealing link

TYPE: Credential Theft

DESCRIPTION: Delivery-themed phish are a global phenomenon, as this French-language email delivers embedded links to lure a recipient into clicking and giving up their credentials. Just report as phish and delete, s’il vous plait.

sample phish uses a banking theme to deliver the remcos rat with a .xxe attachment

TYPE: Malware – Remcos

DESCRIPTION: This finance-themed attack continues the recent surge in the use of .xxe archives to get malware into inboxes. This phish delivers the Smoke Loader that will then install both the Remcos and NetWire Remote Access Trojans. Talk about a double-whammy!

sample phish with a billing theme delivers remcos rat via .xxe attachment

TYPE: Malware – Remcos

DESCRIPTION: Another .xxe example with a similar look and feel as the previous, but using a shipping theme. In this case the Remcos Remote Access Trojan is delivered by the GuLoader malware held within the delivered archive.

sample phish with a finance theme uses a .xxe attachment to deliver the smoke loader

TYPE: Malware – Smoke Loader

DESCRIPTION: Another finance-themed phish. This one spoofing a bank to deliver… you guessed it… another .xxe archive. This one installs the Smoke Loader malware, which Cofense used to see delivered via Microsoft Office exploits. It seems you can teach an old dog new tricks.

sample phish uses a shipping theme to deliver a .xxe attachment to install remcos rat

TYPE: Malware – Remcos

DESCRIPTION: While it normally only takes 3 examples to indicate a pattern, we have a 4th XXE archive delivery this week. Another finance-themed phish that delivers a GuLoader to download and activate the Remcos Remote Access Trojan.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending August 16, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We note a preponderance of malware this week, both via attachment and image links. With security teams overloaded with phishing response, perhaps Cofense Intelligence can help?

sample phish delivers a .xxe attachment that uses guloader to install the remcos remote access trojan

TYPE: Malware – Remcos

DESCRIPTION: This phish reminds us of an important lesson: always do the needful. This does not include extracting the attached .xxe file, since that will execute GuLoader and download the Remcos Remote Access Trojan. And who needs that?

sample phish uses an image link to deliver the pyrogenic stealer

TYPE: Malware – Pyrogenic Stealer

DESCRIPTION: It’s a good thing the confidentiality notice in this email absolves the sender of any virus being passed on. This payment-themed phish provides what looks like a poorly rendered PDF, but is instead an image with a link to a Pyrogenic Stealer download.

sample phish uses an image link to deliver the nanocore remote access trojan

TYPE: Malware – NanoCore

DESCRIPTION: Another image link designed to look like an attachment. This one includes a very friendly “DOWNLOAD” instruction. Very helpful if you’re looking to download the NanoCore Remote Access Trojan, something we saw resurface in March of 2018.

sample phising in the finnish language uses an embedded url to deliver agent tesla

TYPE: Malware – Agent Tesla

DESCRIPTION: This phish is bad from start to finish (see what I did there?). Promising a shipping document with tracking number, it actually delivers a link to the Agent Tesla keylogger. Our Phish Fryday podcast gave it some good coverage earlier in the year.

sample phish delivers the wsh remote access troja with an embedded url

TYPE: Malware – WSH RAT

DESCRIPTION: Hoping to keep your balance up to date? Be careful what you wish for. This payment-themed phish delivers a link to the WSH Remote Access Trojan. We discussed this variant of the Houdini Worm back in 2019.

sample phish in italian delivers a jnlp file leading to the ursnif malware

TYPE: Malware – Ursnif

DESCRIPTION: My Italian is a bit rusty. Ok, non-existent. But a translation tells me this is a refund from the Italian social security agency. The attached .jnlp shortcut file leads to a JAR Downloader that then installs and runs the Ursnif malware. We’ve seen Italian speakers targeted with Ursnif before.

sample phish steals credentials with a dropbox hosted pdf

TYPE: Credential Theft

DESCRIPTION: You knew we wouldn’t make it through an entire post without a credential phish. This attack leverages trust in the Dropbox logo but actually uses Google Cloud Storage to host a linked PDF. The supposed “business proposal” will steal your credentials faster than you can say trusted cloud storage.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishing Threat Preys on Desperate Business Owners

By Kyle Duncan and Noah Mizell, Cofense Phishing Defense Center

For the past few months, businesses across the nation have suffered from the financial strain brought on by COVID-19. Government relief has become a major concern as businesses struggle to stay afloat. The Cofense Phishing Defense Center (PDC) has taken notice of a new phishing campaign that once again aims to abuse Covid-related fear and uncertainty. This campaign imitates the U.S. Small Business Administration (SBA) to harvest the credentials of business owners who may be expecting the administration’s assistance.

While the spoofed address for this attack is one the SBA uses and is even listed on their website, one brief look at this example’s “Received” path shows it did not originate from the SBA.

Figure 1-2: Email Header

These first four stops on the email’s Received path indicate that the email originated from Japanese email servers. This can not only be seen in the Received path but also in other fields of the header information. The Japanese IP address is seen in the Authentication-Results-Original and the Japanese domain can be seen in the Message-ID in some cases.

Figure 3-4: Email Body

The email body of this phish is very clean and well-constructed. Barring the excessive use of commas, the email looks legitimate at a glance. The threat actor has even compiled legitimate logo images and contact information to help sell the deception. Small business owners who have applied for federal aid would be hopeful and relieved to see this message in their inbox.

When you hover over the “Review and Proceed” button, however, the facade falls. Instead of sending users to SBA.gov, this button will redirect to the phishing page:

hXXps://ion-homes[.]com/sba/covid19relief/sba.gov/

The phishing page at this URL redirects to an SBA phishing login page with similar logo, positioning, and details to the real site. While the phishing domain differs, the threat actor has notably attempted to mirror the URL structure from the legitimate SBA’s login URL by tossing in ‘covid19relief’ into the directory name.

Figure 5: Phishing Page

Upon entering their login credentials, users are then redirected to the official SBA website, specifically the login page as seen in Figure 5.

Figure 6: Official Small Business Association Page

Instead of receiving aid, business owners who fall for the scam give away their credentials—adding insult to injury.

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops phishing attacks that elude email gateways.

Network IOC  IP  
hXXps://ion-homes[.]com/sba/covid19relief/sba.gov/ 173.231.209.178
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending August 9, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. This week sees a variety of the same ol’, same ol’. Logistics spoofs, trusted cloud storage, and finance themes. Good thing humans can be trained to detect these things.

phishing example delivers a zipped jnlp java downloader to then deliver ursnif banking trojan

TYPE: Malware – Ursnif

DESCRIPTION: Threat actors in this connected age love to spoof logistics companies. This example warns of a package being returned to the sender. The attached, zipped .jnlp shortcut file leads to a JAR Downloader that runs the Ursnif malware. This is one package you do not want to receive.

phishing example of credential theft using dropbox link

TYPE: Credential Theft

DESCRIPTION: Cloud storage is certainly convenient for sharing files with friends and colleagues. Attackers think so, too. This one uses Dropbox to deliver a credential phishing page to the recipient. How convenient is that?

phishing example uses a delivery spoof with a link to credential theft page

TYPE: Credential Theft

DESCRIPTION: These attackers really stepped up their game with a convincing looking phish mimicking another logistics company. If only it hadn’t come from a Hotmail account.

phishing example uses an image link to direct the recipient to the pyrogenic stealer

TYPE: Malware – Pyrogenic

DESCRIPTION: It may look like a PDF, but this finance-themed phish actually delivers a linked image that appears to be an attachment. The link leads to the Pyrogenic Stealer.

phishing example of OneDrive link to download agent tesla keylogger

TYPE: Malware – Agent Tesla

DESCRIPTION: Here’s your quote for the day: beware of emails bearing malware. This attack identifies as a quote but delivers the Agent Tesla Keylogger via an embedded URL.

phishing example uses a coronavirus theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: They say rest and exercise are good for you, but this exercise starter kit from HR is really at the other end of the scale. The provided link takes the recipient to a web page designed to steal their credentials. That’s sure to get your heart rate up.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending August 2, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. We note quite a bit of spoofing this week. Attackers know if they can get their phishing attacks into a user’s inbox, they still need to convince the user to click. If you need help raising the awareness of your users, check out some of our free resources.

phishing example invoice theme delivers pyrogenic stealer with embedded link

TYPE: Malware – Pyrogenic

DESCRIPTION: For such a polite email is carries an awfully impolite payload, as this finance-themed phish uses an embedded URL disguised as a PDF to deliver the Pyrogenic Stealer.

phishing example uses PDF attachment to perform credential theft.

TYPE: Credential Theft

DESCRIPTION: Spoofing an international logistics company, this phish delivers an attached PDF with embedded links to a credential phishing site.

phishing example of a purchase order link that delivers nanocore remote access trojan

TYPE: Malware – NanoCore

DESCRIPTION: Everyone knows Dropbox is a legitimate cloud storage provider so, when we get a purchase order hosted on Dropbox, we click it. At least, that’s what the attacker hopes. In this attack, an archive holding the NanoCore Remote Access Trojan is downloaded. We’ve been discussing the use of Dropbox in phishing attacks for over 5 years.

phishing example spoofs logistics company to deliver avaddon ransomware and raccoon stealer

TYPE: Malware – Avaddon

DESCRIPTION: Another spoof of a major logistics company. This one really delivers. Using an embedded URL it delivers the Smoke Loader that then downloads Raccoon Stealer and Avaddon Ransomware. Read more about ransomware trends.

phishing example spoofs a voicemail delivers htm attachment to perform credential theft

TYPE: Credential Theft

DESCRIPTION: Stop me if you’ve heard this one. A spoofed voicemail notification uses an attached .htm file to mimic a Microsoft page to steal credentials. Voicemail notification phish are nothing new, but still reach users regularly.

phishing example delivers remcos rat using an xxe archive

TYPE: Malware – Remcos

DESCRIPTION: Self-quarantines and remote work arrangements seem like a recipe for increased deliveries and this phish takes advantage of that. Another logistics company spoof offers an invoice as a lure. In a rare twist, the attack delivers a .xxe archive that contains GuLoader, which will install the Remcos Remote Access Trojan.

phishing example uses box.com to deliver ursnif malware

TYPE: Malware – Ursnif

DESCRIPTION: Another attack relying on trust in a popular cloud storage provider. This one includes a link to a .js file that downloads and executes Ursnif. Are we having trust issues?

phishing example delivers password-protected zip to install icedid banking trojan

TYPE: Malware – IcedID

DESCRIPTION: If it is protected by a password, it must be secure. That’s the lure this attacker uses to convince the recipient to open the attached .zip archive, enable the macros in the provided Microsoft Office document, and install the IcedID trojan. It’s a blast from the past, as we wrote about password-protected ZIP files in phishing attacks way back on 2011.

phishing example spoofs small business administration sba with coronavirus theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: While we hoped to get through an entire week’s blog without a COVID-19 example, it wasn’t meant to be. This phish pretends to be from the US Small Business Administration with details about an approved funding request. The embedded URL leads to a credential phishing page. Recipients should keep their mouse at least 6 feet away from the link.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Threat Actors Bypass Gateways with Google Ad Redirects

By Dylan Main and Harsh Patel, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that attempts to steal Office 365 login credentials by luring employees to accept a new Terms of Use and Privacy Policy. This new campaign has been seen across multiple organizations and uses advanced techniques to garner employee login credentials, including a Google Ad Services redirect to fool email gateways.

Figure 1: Headers

The originating IP in the headers of this email proved its source was coming from a legitimate account with the ‘from’ address “info@jtpsecurity[.]co[.]za” It appeared as though this email address was compromised and then used to send the phish to multiple employees. The word “security” in the from address could potentially lull the user into trusting the email’s origin.

Figure 2: Email Preview

At first glance, the user will see “This message was sent with High Importance.” Again, the from address contains the word security and the subject talks about a “Recent Policy Change,” creating urgency to click and handle the matter immediately.

The email body talks about accepting the newly updated “Terms of Use & Privacy Policy.” Also, it notes how this new policy will affect personal data and discontinue all active services on the user’s account. Curious users will likely want to “Learn More.”

Figure 3 shows the URL embedded in both buttons, “Accept” and “Learn More”:

Figure 3: URL redirect of the buttons

As seen in the above figure, the threat actor has utilized a Google Ad Services redirect to pilot users to their phish. This suggests that the threat actor(s) may have paid to have the URL go through an authorized source. In turn, this easily bypasses secure email gateways and exposes employees to the phish.

Upon clicking on either button, users are redirected to a duplicate of the real Microsoft page at the URL:

hXXps://microsoftoffice-servicepolicy-onlineserver[.]comisys[.]host/common/oauth2-authorize

 On this page users are presented with a pop up of the privacy policy the email mentions. In this window there are two notable logos as well, a Microsoft logo and the user’s company’s logo, in a bid to make this page appear that much more legitimate. Scrolling through the text box you can see the Privacy Statement was taken from Microsoft’s website.

Figure 4: First Page of the phishing attack

After accepting the updated policy, the user is then redirected to a Microsoft login page, which impersonates the Office 365 login page. An employee who enters their credentials and clicks “Next” will have sent the Threat Actor(s) their Microsoft credentials and compromised their account.

Figure 5: Second Page (The actual phishing)

Following the login page, users find further reason to believe the update is legitimate, one more box saying, “We’ve updated our terms.” Upon clicking the “Finish” button, they’ll be all set.

Figure 6: Third Page (Post entering credentials)

Last step: users are redirected to the legitimate Microsoft page, their Service Agreement, to complete the scam. Nothing malicious here!

Figure 7: Final Page (Official Microsoft site)

LEARN MORE about the Cofense Phishing Defense Center. See how the PDC’s managed phishing response and remediation stops the phishing attacks that elude email gateways.

Indicators of Compromise:

Network IOCs IP  
hxxps://www[.]googleadservices[.]com/pagead/aclk?sa=L&ai=C3seiJpC5XstooZGJBrPArsADp__a3lyH_4PTjAqoqKfonA8QASC7-_keYISV7IXcHaABzavQ-gPIAQmpAt6UwcHeNU0-qAMByANKqgTEAU_Q2dNvWCQ_LtumFUNLEz16PFVhg8cC3HmYEdlxma4KWUfGkvbdLFpKvCC92odSoiBTw9idw1iHRgreOTD1xyzoBBif4axm3JFTnekl_2_OeuLDQv0U_HzVVt10Iu5SkzsX6nGWyfUgPHIgJkxJqY4me8SG8d0nlmJ8PumQhJhze02bPmqEr4puzh2awPAoHoVPQ7QaXlbeJvf4W7Wexg1RGQ0EqMY8Z7YLfyh6tceagXiYGwWU1r3H9HuiISfj4G-RYYTABM-Sru2hAsAFBfoFBgglEAEYAJAGAaAGLoAHm9SvBYgHAZAHAqgHjs4bqAeT2BuoB7oGqAfw2RuoB_LZG6gHpr4bqAfs1RuoB_PRG6gH7NUbqAeW2BuoB8LaG9gHAMAIAdIIBggAEAIYGoAKAZALA5gLAcgLAYAMAeAS_6jY_crtxomjAdgTDg&ae=1&num=1&cid=CAMSeQClSFh3L5xTIDfFt35D8xjVEHFCYXr5NOlTRany4t_BBsFsAp3b7XCD0nSBKDirzhPVamy0H75uzx6gQxh5_rKDAlBAJWTUCf1Tqi6saFbojDtHd_R8dtCePj4ZvH0zHZWyRITLXvztggY2ibrWY9oLm5X8Wcuetvk&sig=AOD64_0L9hd4oCjDoroDTf6-7Fkon2bwsw&ctype=5&client=ca-pub-1169945711933407&adurl=https%3A%2F%2Fmicrosoftoffice-servicepolicy-onlineserver[.]comisys[.]host172[.]217[.]7[.]226
hxxps://microsoftoffice-servicepolicy-onlineserver[.]comisys[.]host/198[.]23[.]137[.]146
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending July 26, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Reply chain attacks are of particular note this week, as attackers use existing email discussions to lend a sense of legitimacy to their phish. Cofense saw these Zombie Phish last year and they continue to find success.

phishing example of a voicemail theme credential theft

TYPE: Credential Theft

DESCRIPTION: Here’s a voicemail-themed attack that includes a partial transcript – just enough to lure the recipient into clicking. Doing so leads to a Google Forms page that captures and exfiltrates login credentials. Voicemail spoofs aren’t new. Cofense has been blogging about them for some time

example phish spoofing tax forms for credential theft

TYPE: Credential Theft

DESCRIPTION: With due dates for taxes extended thanks to the COVID-19 situation, tax-themed phish are still effective. Posing as a Human Resources representative, this phish uses Infogram URLs to capture email login credentials.

phishing example of a reply chain attack using emotet to download qakbot

TYPE: Malware – QakBot

DESCRIPTION: Over a year ago, Cofense wrote about Emotet and its use of compromised emails to perform reply-chain attacks. This example uses an attached PDF with links to a macro-laden Microsoft Office document to deliver first Emotet and then QakBot.

phishing sample poses as an invoice but links to the pyrogenic stealer malware

TYPE: Malware – Pyrogenic

DESCRIPTION: Another example of reply-chain tactics to trick a recipient into following the embedded links to the Pyrogenic Stealer malware. This one uses a finance theme spoofing an Accounts Payable department.

sample phish uses an image link to deliver agent tesla malware

TYPE: Malware – Agent Tesla

DESCRIPTION: No one wants to miss a sale, and the attackers know it. They use a quotation theme to lure the recipient into clicking the image link to download the Agent Tesla keylogger, a piece of malware we covered last year.

phishing example of a quarantine theme credential theft

TYPE: Credential Theft

DESCRIPTION: Knowing users are becoming better trained to detect phishing attempts and to rely on existing security mechanisms, the attackers behind this phish spoof an email quarantine service to encourage the recipient to click and give up their credentials. Can your users tell the difference between your organization’s quarantine and a fake?

phish sample uses covid-19 pandemic theme to perform credential theft

TYPE: Credential Theft

DESCRIPTION: This last example for the week spoofs the Human Resources department using a Coronavirus theme to encourage the recipient to click the link and give up their credentials. Cofense put together a Coronavirus InfoCenter with numerous resources to help educate your organization on these threats.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phish Found in Proofpoint-Protected Environments – Week Ending July 19, 2020

100% of the phish seen by the Cofense Phishing Defense Center (PDC) have been found in environments protected by Secure Email Gateways (SEGs), were reported by humans, and automatically analyzed and dispositioned by Cofense Triage.

Cofense solutions enable organizations to identify, analyze, and quarantine email threats in minutes.

Are phishing emails evading your Proofpoint Secure Email Gateway? The following are examples of phishing emails seen by the PDC in environments protected by Proofpoint. Phishing threat actors continue to rely on tried-and-true methods to get their attacks into user inboxes. We discussed the latest trends recently on our Phish Fryday podcast.

example phish delivers LolKek ransomware with an xlsb attachment

TYPE: Malware – LolKek

DESCRIPTION: This phish uses an order theme spoofing Salesforce.com to deliver a Microsoft Excel Binary attachment (.xlsb). Within this file, macros are designed to download and install a recently discovered form of ransomware called LolKek. Excel Binary documents aren’t as common in general usage, but come in handy when working with large files. Or malicious attachments.

sample phish delivers Remcos remote access trojan via image link

TYPE: Malware – Remcos

DESCRIPTION: This contract-themed phish delivers an image link designed to look like an attached Microsoft Office document. Instead, it downloads a document crafted to exploit CVE-2017-11882, download a VBS script, which downloads a PowerShell script. That script then unpacks and loads a DotNET Loader that runs the Remcos Remote Access Trojan. That’s a long way of saying system compromise.

phishing example spoofs world health organization to deliver credential theft link

TYPE: Credential Theft

DESCRIPTION: Taking advantage of the current pandemic, this phish spoofs the World Health Organization to convince the recipient to click the link. Doing so prompts for credentials including “Gmail, Office, Yahoo, AOL, Outlook, and ‘other’” and then directs to a Google Drive-hosted PDF. Despite the official looking sender and logo, the body is rife with grammatical errors.

phishing example performs credential theft via image link

TYPE: Credential Theft

DESCRIPTION: Claiming to provide an attached statement, this phish uses a linked URL masquerading as a PDF attachment to direct the recipient to a Microsoft SharePoint-hosted page designed to steal credentials. Cofense continues to cover the use of trusted cloud services for untrustworthy purposes.

phishing sample delivers dridex malware via zipped attached word document

TYPE: Malware – Dridex

DESCRIPTION: This invoice-themed phishing attack promises a booking invoice but delivers a macro-enabled Microsoft Word document inside a ZIP archive. Those macros lead to the installation of the Dridex malware.

phish example spoofs HR to deliver credential theft via embedded link to sharepoint

TYPE: Credential Theft

DESCRIPTION: Still getting used to remote work? Attackers hope so, attempting to trick recipients into following their trusted Microsoft SharePoint links to a nasty end. In this case, a credential harvesting page. Cofense has put together a number of tips to help you defend your remote workers.

example phish with fax theme delivers credential theft with an htm attachment

TYPE: Credential Theft

DESCRIPTION: Just the fax, ma’am. This fax-themed phish encourages the recipient to open the attached .htm file. The file is designed to look like a Microsoft login page. The attacker is hoping to capture the login credentials of the recipient.

example phish that delivers an embedded URL for credential theft

TYPE: Credential Theft

DESCRIPTION: The Coronavirus theme is still getting some mileage among attackers. This one includes an embedded URL that will try and steal credentials for “Outlook, Office365, Gmail, Yahoo, and ‘other’” services. After providing credentials, the recipient is sent to a legitimate-looking PDF in an attempt to reduce suspicion.

Malicious emails continue to reach user inboxes, increasing the risk of account compromise, data breach, and ransomware attack. The same patterns and techniques are used week after week.

Recommendations

Cofense recommends that organizations train their personnel to identify and empower them to report these suspicious emails. Cofense PhishMe® customers should use SEG Miss templates to raise awareness of these attacks. Organizations should also invest in Cofense Triage and Cofense Vision to quickly analyze and quarantine the phishing attacks that evade Secure Email Gateways.

Interested in seeing more? Search our Real Phishing Threats Database.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.