VPN Notifications Used for Credential Phishing

June 3, 2020

Due to the transition to remote work during the COVID-19 pandemic, corporations have become more concerned about online security and privacy. Companies rely on VPNs to connect remote employees to vital company servers, as well as to provide secure data sharing.

Attackers are taking advantage of the situation and in this attack, they impersonate a notification from the user's organization regarding VPN configuration in an attempt to steal credentials.

Summary of Attack Target

  • Platform: Office 365
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Spoofed Email

Overview of the VPN Attack

This attack impersonates a notification email from IT support at the recipients’ company. The sender email address is spoofed to impersonate the domain of each target's organization and the link provided in the email allegedly directs to a new VPN configuration for home access. Though the link appears to be related to the target's company, the hyperlink actually directs to an Office 365 credential phishing website.

Multiple versions of this attack have been seen across different clients, from different sender emails and originating from different IP addresses. However, the same payload link was employed by all of these attacks, implying that these were sent by a single attacker that controls the phishing website.

Should the recipient fall victim to this attack, the user’s credentials would be compromised. In addition, the information available with the user’s Microsoft credentials via single-sign-on is also at risk—allowing threat actors access to confidential information across the company.

Why the VPN Attack is Effective

Because most employees are working from home, a VPN has become a necessity for some work-related tasks. Employees will likely be attuned to any alleged updates to their VPN configuration in order to avoid any issues completing work that requires VPN access.

This email attack impersonated the recipients’ company domain and the original landing page looks identical to the Office 365 login website. Since the phishing website is hosted on a Microsoft-owned platform, the webpage certificate is a valid Microsoft certificate. However, the URL of this site should not be trusted, and instead, users should only log in from their main company-affiliated webpage.

Abnormal detected this attack due to the unusual sender, who has never sent to this organization before, and the fact that the sender domain does not match any domains found within the body links. Combined with the unusual sender IP geolocation and the suspicious link, we can determine that this email is malicious and block it before reaching inboxes.

To discover how Abnormal can block malicious credential phishing messages for your organization, see a demo today.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More