In this attack, attackers impersonate an email from Skype in order to steal user account credentials.
Quick Summary of Attack Target
Platform: Office 365
Email Security: IronPort
Mailboxes: Greater than 50,000
Payload: Malicious Link
What was the attack?
- Setup: Skype is used prolifically in both casual and business settings. As a result of its affiliation with Microsoft, it is a popular choice for attackers to impersonate in order to trick victims into handing over their Microsoft credentials.
- Email Attack: In these attacks, the sender impersonates an automated Skype invoice notification and uses brief language. The message notes it is for the finance department and contains a link to the supposed invoice.
- Payload: If a recipient clicks on the link provided, they are brought to a replica of the Microsoft sign-in page which mimics a legitimate Microsoft login page and includes the Skype logo above the sign-in location.
- Result: If a recipient were to enter their credentials, they risk exposing sensitive information found on the recipient’s personal or company email account.
Why is this attack effective?
- Convincing Email: The attack attempts to conceal itself as an automated invoice notification from Skype. The attacker includes references to the recipient’s organization and a note that the message is for the finance department. Here, the attacker is hoping that even if the recipient is not from the finance department, they will still follow the link or send it to the “appropriate” individuals. By mimicking an official application, attackers hope that the recipient will be less likely to scrutinize the content of the message and be more susceptible to the attack.
- Convincing Landing Page: The link to the supposed invoice leads to a page hosted on “web.app” and has “Skype” in the URL in an attempt to further the legitimacy of the site. The site mimics a legitimate Microsoft login page and includes the Skype logo above the login section, to further increase the fraudulent page’s credibility. Without looking at the link, users may easily be duped into believing that this page is legitimate and enter their credentials.
- Concealed and Tracked URL: The payload link is concealed in text. However, when clicked, it reveals the link used is hosted on a link utilizing Branch.io. This service conceals the real link the user is directed to and tracks link usage. This attack is sophisticated in the use of link tracking, as the attacker is able to change the destination of the redirect link based on the collected link usage. In this attack, the first few clicks on the link directed to the Skype phishing page. However, on subsequent clicks on this link, it directs to the real Microsoft website. The attacker does this in order to bypass security measures that crawl links.