Share:

By: Kian Mahdavi, Cofense Phishing Defense Center

With the influx of remote workers, it’s a perfect opportunity to flood people’s inboxes with malicious emails and fake links. The Cofense Phishing Defense Center (PDC) recently uncovered a phishing campaign that targets employees to harvest their Microsoft credentials. Ironically, the phish was found in an environment protected by Microsoft’s own secure email gateway (SEG). The phishing email, which was reported to the PDC using the Cofense Reporter button, included a well thought out “AudioChat” notification link supposedly from Microsoft Teams.

Teams is one of the most popular platforms for remote employees. Predictably, the threat actors have taken this into consideration – especially during the COVID-19 pandemic with millions of people teleworking. We expect this trend to continue with similar communication platforms.

Figure 1: Email Body of an official Microsoft Teams example notification

Figure 2: Email Body of illegitimate Microsoft Teams notification

Credit where credit’s due, we were impressed by the effort of the threat actor and their high-quality social engineering tactics. The subject line reads “Chat Message in Teams”- is this just an ordinary notification?

The email content has perfect similarities between Microsoft’s services; in particular, it incorporates matching font size and color as well as the overall layout. The email also includes the generic ‘tips’ section towards the bottom half of the message, evident above in Figure 2. However, there’s a catch: despite the solid efforts of the email content, there are a few tell-tale indications this is a phish. The most obvious sign is the sender’s lengthy spoofed email address:

matcnotification[.]teamadmin_audidsenderderweeu44we7yhw[@]ssiconstructionnw[.]com

The words “notification” and “teamadmin” have been skilfully included within the account name. But more importantly, the TLD – “ssiconstructionwn” – does not contain the all-important ‘Microsoft’ reference. No prize for guessing, it is a construction company located in Seattle, Washington that the attacker has spoofed. Since the TLD is from a legitimate source, not only does it pass basic email security checks, such as DKIM and SPF, but also provides HTTPS displaying the essential green lock to the left of the URL, located below in Figure 3 – a valiant effort on behalf of the threat actor.

On top of that, the text displays: “Teammate sent you an offline message.” Notice the message practices a generic word: “teammate” rather than the specific name of the sender. Contradicting itself, the email includes an initial (JC) of the supposed sender within the avatar, further hindering the legitimacy of the email and raising suspicion.

As mentioned above, the user is requested to click on the “16 second AudioChat,” and once hovered, displays the following link:

hXXps://us19[.]campaign-archive[.]com/?u=0dce22c9638fc90b5c17ea20a&id=6652f42d20

The user’s email address (now redacted) is embedded into the above URL. Companies often use various email protection solutions, and as a result, URLs are often packaged with security phrases. In this phishing campaign, the email contains the words “safelinks.protection” planted at the very beginning of the hover link. This could trip up inquisitive readers who might overlook the rest of the URL and click.

Figure 3: Initial Phishing Page

The phishing page above, where users are forwarded, adheres to Microsoft’s protocol (an almost picture-perfect replica); of course, we are overlooking the forged URL within the web-bar. Once ‘Open Microsoft Teams’ has been clicked, the user should have been automatically redirected to the Microsoft Teams application. Instead, the user is taken on a slight detour to the final link of this phishing attack:

hXXps://imunodar[.]com/wp-content/plugins/wp-picaso/Teams/

Figure 4: Secondary Phishing Page

Once credentials have been supplied, the campaign redirects the user to the authentic ‘office[.]com’ webpage, which could even be enough to assure users it was a genuine procedure. A user’s personal data could potentially be in the hands of the threat actor, assuming they logged in with their true Microsoft credentials.

Indicators of Compromise:

Network IOC IP
hXXps://us19[.]campaign-archive[.]com/?u=0dce22c9638fc90b5c17ea20a&id=6652f42d20
hXXps://imunodar[.]com/wp-content/plugins/wp-picaso/Teams/
104[.]118[.]190[.]227

 

How Cofense Can Help

Visit Cofense’s Remote Work Phishing Infocenter to stay up to date as threats evolve. Our site is updated with screenshots of real phish that have evaded secure email gateway detection and other helpful resources so you can help keep your organization protected.

 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.