In this attack, attackers are impersonating the CDC in order to trick victims into clicking a link which ostensibly lists cases in their area, but which actually leads to a landing page which can steal their credentials.
- Platform: Office 365
- Mailboxes: Between 1,000 and 5,000
- Email Gateway: MessageLabs
- Email Security Bypassed: Office 365
- Victims: Internal Employees
- Payload: Malicious Link
- Technique: Brand Impersonation
What was the attack?
- Setup: This attacker registered a new domain (cdc-gov.org) at the end of January from which they could send convincing-looking emails impersonating the CDC.
- Email Attack: The attacker sent an email leveraging fear and uncertainty around the novel coronavirus. The subject of this email (“2019-nCoV: Coronavirus outbreak in your city (Emergency)”) was specifically designed to create a sense of urgency on the part of the victim, and the email itself encouraged victim to click a link to see what was purported to be a list of cases in their city.
- Payload: The URL written in the email does not match the actual URL to which recipients were directed. This URL led to a page made to look like an Office 365 login page. Presumably, the attacker hoped that a victim would be flustered enough by the idea of outbreaks of coronavirus in their city to assume that they’d been inadvertently logged out of their Office 365 instance and enter their credentials here.
- Result: This attack was an attempt at stealing user’s credentials.
Why is this attack effective?
- Urgency: The novel coronavirus outbreak is, of course, of concern to many people, and this email leverages the urgency with the specificity that outbreaks are occurring in the recipient’s city. Many of the rest of the oddities of this email are dependent on the victim ignoring the oddities
- Convincing domain: The attacker registered a domain (cdc-gov.org) specifically for this attack at the end of January. Young domains like this are typically indicative of an attack. But to someone unfamiliar with the real CDC domain (cdc.gov) and who may be reacting to the content of the email suggesting new cases near them, this email domain could look close enough to the real thing to assuage suspicions.
- Concealed URLs: Although the written URL in the email was ostensibly to a CDC site listing cases in the recipient’s city, the actual link takes the recipient to a login page for Office 365, where the attacker hopes that a victim – focused more on the outbreak than the oddity of running across this site and assuming they’ve been inadvertently logged out of their Office 365 account – will enter their credentials so the attacker can steal them.
Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.