Credential Phishing Attack Hosted on Atlassian Confluence

September 23, 2021

Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known brands. A rising trend is attackers frequently like to use links leading to shared documents on Google Docs or Dropbox to steal credentials.

This attack is the first we’ve observed hosted on a Confluence page and while much less common, shows how attackers are willing to try nearly everything to steal your information and money.

Summary of Attack Target

  • Target: Prominent Healthcare System
  • Platform: Office 365
  • Victims: Hospital Administrators
  • Payload: Phishing Link
  • Technique: Credential Theft

About the Confluence Phishing Attempt

Utilizing the compromised account of a trusted lawyer out of a notable firm, cybercriminals began their spear-phishing campaign by attacking an equally noteworthy health care system. This may have been an attempt to steal valuable personal information—something that is highly prevalent in healthcare systems and makes them a prime target for attack.

The spearphishing, or highly targeted, email disguised the malicious web page with a seemingly innocent RFP—a new method of attack that has seen increasing use over the last year. The use of the phrases secure link and please do not share this email offer a sense of security and trustworthiness, indicative of suspicious behavior.

Confluence attack email

Once the link is clicked, the recipient is taken to a Confluence web page where the malicious file is stored. Here, the recipient is greeted with more suspicious wording including SECURE FILE and This document is protected for your view only. By attempting to create a relationship of trust and security with the recipient, attackers are able to successfully entice recipients to click on the malicious links.

Confluence attack landing

While the malicious OPEN HERE link was removed prior to Abnormal investigating this email, we can determine that it was likely leading users to a phishing website where they would be required to enter their credentials to their Office 365 account in order to see the RFQ. Email credentials are typically the most valued by threat actors, as they can hijack existing conversations and send additional phishing emails from the compromised account.

Alternatively, this link could have led to an impersonated Confluence page, where the user would enter their Confluence credentials in order to access the PDF. Once entered, the threat actor would have access to the organization’s Confluence workspace where they could view all internal documentation about the healthcare organization and potentially gain access to other, more private systems that contained personal patient information.

Why the Confluence Attack Bypassed Existing Security Infrastructure

Attackers are constantly looking for new ways to compromise targets and are adapting their methods to seem more official and real. Atlassian Confluence is one of many different applications that are used throughout the professional world and is one way that teams create and collaborate across a network of distributed employees.

Confluence is best known as a place to organize and share work, and while it is not used solely for file sharing, that is a key component of the system. Attackers took advantage and staged the malicious payload under the guise of an application that they knew the target would recognize. In addition, placing the phishing link on another site allowed the original email to bypass traditional security systems, which typically look only at the first link to determine malicious intent.

Despite the attempt cybercriminals made, Abnormal Security was able to detect several different indicators that the email was likely an attack.

Confluence attack analysis

Abnormal detected the unusual sender domain and the fact that all recipients were bcc’d—a common technique of attackers. Furthermore, Abnormal noticed the suspicious link, which redirected to another webpage. These different facets of attack, alongside thousands of other signals, were detected through the behavioral models and AI technology on which the Abnormal platform is built.

While Abnormal stopped this attack for the healthcare system, other recipients who were bcc’d may have fallen victim to this credential phishing attempt, particularly if their organizations regularly use Confluence for documentation. This attack would be particularly effective for organizations that regularly communicate with the original sender and who may be expecting an RFQ to be sent from them.

Are you prepared to stop credential phishing attacks from compromised accounts? See how Abnormal can help by requesting a demo today.

Related Posts

B 12 03 22 SIEM
Learn about Abnormal’s enhanced SIEM export schema, which provides centralized visibility into email threats
Read More
Blog phishing cover
The phishing email is one of the oldest and most successful types of cyberattacks. Attackers have long used phishing as a common attack vector to steal sensitive information or credentials from their victims. While most phishing emails are relatively simple to spot, the number of successful attacks has grown in recent years.
Read More
Blog brand cover
For those of you who have visited the Abnormal website over the last month, you’ve seen something different—a redesigned brand focused on precision. It’s new and innovative, and different from any other cybersecurity company, because it was created with one thing in mind: our customers.
Read More
B 11 22 21 AAA
At Abnormal, our customers have always been our biggest priority. Customer obsession is one of our five company values, and we live this every single day as we provide the best email security protection available for the hundreds of companies who entrust us to protect their mailboxes.
Read More
Blog microsoft abnormal cover
Before we jump into modern threats, I think it’s important to set the stage ​​since email has been around. Since email existed, threat actors targeted email users with malicious messages, general spam, and different ways to take advantage of the platform. Then of course, more dangerous attacks started to come up… things like malware and other viruses.
Read More
Blog black friday scam cover
While cybersecurity awareness is a year-round venture, it is especially important to be mindful during certain times of the year. With Thanksgiving here in the United States on Thursday, our thoughts will likely be on our family and friends and everything we have to be thankful for this holiday season.
Read More
Blog automation workflows cover
Our newest platform capabilities help customers streamline critical security workflows, like triaging phishing mailbox submissions or triggering tickets to investigate account takeovers, through automated playbooks. Doing so can decrease mean time to respond (MTTR) to incidents, further reducing any potential risk to the organization and eliminating manual workflows to save time and increase the efficiency of IT and security teams.
Read More
Blog tsa scam cover
On November 9, 2021, we identified an unusual phishing email that claimed to be from “Immigration Visa and Travel,” inviting the recipient to renew their membership in the TSA PreCheck program. The email wasn’t sent from a .gov domain, but the average consumer might not immediately reject it as a scam, particularly because it had the term “immigrationvisaforms” in the domain. The email instructed the user to renew their membership at another quasi-legitimate-looking website.
Read More
Blog pyspark cover
At Abnormal Security, we use a data science-based approach to keep our customers safe from the most advanced email attacks. This requires processing huge amounts of data to train machine learning models, build datasets, and otherwise model the typical behavior of the organizations we’re protecting.
Read More
Blog tiktok attack cover
As major social media platforms have expanded the ability of creators to monetize their content in the last few years, they and their users have increasingly found themselves the targets of malicious activity. TikTok is now no exception.
Read More
Blog ransomware guide cover
While various state agencies and the private sector keep track of ransomware attacks and related tactics worldwide, malicious actors change and evolve their ransomware strategies all the time. We’ve put together a comprehensive guide that will define ransomware, how to detect it, and what steps to take if you’ve fallen victim to a ransomware virus attack.
Read More
Blog detection efficacy cover
One of the key objectives of the Abnormal platform is to provide the highest precision detection to block all never-before-seen attacks. This ranges from socially-engineered attacks to account takeovers to everyday spam, and the platform does it without customers needing to create countless rules like with traditional secure email gateways.
Read More