In this attack, attackers have compromised a company’s known vendor and sent out a phishing attack from that compromised account masquerading as a secure message for the recipient.
Platform: Office 365
Email Security: MessageLabs
Mailboxes: 15,000 to 50,000
What was the Attack?
- Setup: Many companies, such as financial institutions send messages with personally identifiable or confidential information through secure message services. These messages require users to confirm their identity by logging in before viewing the message.
- Email Attack: This email is actually coming from a compromised account of a known vendor. The processing department of this vendor has been a previously safe correspondent to the recipient. The body of the attack is similar to that of legitimate secure message notifications, prompting the user to click on the link to access the supposed message.
- Payload: The first page that the malicious link leads to is disguised as an access point to the “secure message” and the phishing page that is accessed after clicking “Click to Read Message” is hosted on a simple online form builder. Here users are prompted to enter their email credentials.
- Result: Any email credentials submitted through the form will be sent directly to the attacker, who can then use this information to take over the victims’ accounts.
Why is this attack effective?
- Compromised vendor: The sender of this attack is an account that has had safe correspondence with the recipient in the past. This particular account must have been taken over by the attacker and has allowed them to send malicious messages to known partners.
- Expected behavior: Users who have interacted with secure messaging services previously would expect the very behavior used by attackers: verification of their identity with credentials (in this case, Office 365 credentials). That this attack is adhering to the behavior the recipient would expect could make recipients less vigilant about ensuring this request is real.
- Convincing email and landing page: The email and landing page that the attacker created were convincing. The email was structured in the same format that legitimate secure message notifications are.The same goes for the landing page.