In this attack, attackers are impersonating the a representative of the CARES Act claiming they need the recipient’s signature for Paycheck Protection Program documents. Clicking on the link for the mentioned file directs the user to a landing page that will steal the recipient’s corporate Microsoft Office 365 credentials.
- Platform: Office 365
- Mailboxes: 15,000 to 50,000
- Victims: VIPs
- Payload: Malicious Link
- Technique: Impersonation
What was the attack?
- Setup: This attack leverages the current economic crisis business leaders are facing due to the coronavirus pandemic. Many companies are experiencing a major loss of revenue and risk bankruptcy. Businesses are hoping to receive Paycheck Protection Program funds from the federal government as part of the CARES Act, to alleviate some of their financial stress.
- Email Attack: The email sent by the attackers claims to be a representative on behalf of the CARES Act, and states that the user’s signature is required on the document titled “PPP_CARES_SignaturePG1-2”. The link to the alleged file directs to a convincing landing page identical to the real Microsoft Office 365 login webpage.
- Payload: The email contains a link to a Microsoft Credential Phishing website. The URL is masked with text, and takes victims to a site which attackers likely control. The first page of the landing page contains a reCaptcha Security Challenge, used to convince the user that this page is secure and authentic, and to prevent bot access to the page. After passing the security challenge, the landing page that mimics the Microsoft Office 365 login page, used to steal the login credentials for the user’s professional email account.
- Result: Should recipients fall victim to this attack, their login information for their Corporate Office 365 email would be compromised, putting sensitive information associated with this email account at risk.
Why is attack effective?
- Urgency: This attack utilizes uncertainty created by the COVID-19 pandemic, and urges the target to sign Paycheck Protection Program documents within three days of receiving the email. There is an implicit risk of a delay in receiving funds or funds withheld if the document is not signed within the time frame requested. As users may be focused on receiving these important funds as soon as possible, they may not be critical and cautious of the origins of the email nor with verifying that the sender or the link are legitimate.
- Convincing landing page: The email and landing page that the attacker created were convincing. Landing page almost replicates the true Office 365 landing page, and the featured security challenge is real. After passing the security challenge, the recipient would be convinced that this website is secure and authentic, rather than a site hosted to steal their credentials.
- Concealed URL: The URLs were wrapped with text so the user would be unable to tell if the link redirected to the authentic Microsoft login webpage. Attackers likely expected that recipients would be too convinced by the landing page they created to double-check that the URL was valid.