In this attack, attackers spoofed an email from the recipient’s company’s HR team in order to steal user account credentials.
Quick Summary of Attack Target
Platform: Office 365
Email Security Bypassed: MessageLabs
Mailboxes: 15,000 to 50,000
Payload: Malicious Link
Technique: Spoofed Email
What was the attack?
- Setup: In response to the COVID-19 pandemic, the IRS extended the tax filing deadline to July 15. This attack was received on July 10th, five days before the new tax deadline, claiming that the user needed to verify their W2 document.
- Email Attack: This message spoofs the email domain of the recipient’s company. It mimics an internal notification, with a brief message body claiming that the recipient must verify their W2 file. The email contains a .jpg attachment that is embedded with a link that leads to the credential phishing website.
- Payload: The email contains a malicious link hosted on a site controlled by the attacker which imitates the Microsoft Outlook login page. The webpage has the recipient’s work email address autofilled, so all the recipient has to do is enter their account password.
- Result: Should recipients fall victim to this attack, their login credentials as well as any other information stored on their Microsoft Outlook account would be compromised.
Why is this attack effective?
- Urgency: This email would have been received on July 10th, 2020, five days prior to the US tax submission deadline. Once receiving this message, the recipient might panic and double-check their tax information, as there is only a limited time to correct any information before the tax deadline. Because of the urgency that this creates, recipients may overlook some red flags.
- Concealed URL: The payload link is hidden in the .jpg email attachment. Because of this, the recipient may not be able to verify the validity of the URL before clicking on it, and may not realize that the link is in fact malicious.
- Spoofed email and landing page: The email appears to come from the HR department of the recipient’s company, as the attacker has successfully spoofed the email domain of the company. The landing page of the attack looks identical to the Microsoft login page, and even is hosted on a domain that is registered by Microsoft.