Credential Phishing Attack Hosted on Atlassian Confluence

September 23, 2021

Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known brands. A rising trend is attackers frequently like to use links leading to shared documents on Google Docs or Dropbox to steal credentials.

This attack is the first we’ve observed hosted on a Confluence page and while much less common, shows how attackers are willing to try nearly everything to steal your information and money.

Summary of Attack Target

  • Target: Prominent Healthcare System
  • Platform: Office 365
  • Victims: Hospital Administrators
  • Payload: Phishing Link
  • Technique: Credential Theft

About the Confluence Phishing Attempt

Utilizing the compromised account of a trusted lawyer out of a notable firm, cybercriminals began their spear-phishing campaign by attacking an equally noteworthy health care system. This may have been an attempt to steal valuable personal information—something that is highly prevalent in healthcare systems and makes them a prime target for attack.

The spearphishing, or highly targeted, email disguised the malicious web page with a seemingly innocent RFP—a new method of attack that has seen increasing use over the last year. The use of the phrases secure link and please do not share this email offer a sense of security and trustworthiness, indicative of suspicious behavior.

Confluence attack email

Once the link is clicked, the recipient is taken to a Confluence web page where the malicious file is stored. Here, the recipient is greeted with more suspicious wording including SECURE FILE and This document is protected for your view only. By attempting to create a relationship of trust and security with the recipient, attackers are able to successfully entice recipients to click on the malicious links.

Confluence attack landing

While the malicious OPEN HERE link was removed prior to Abnormal investigating this email, we can determine that it was likely leading users to a phishing website where they would be required to enter their credentials to their Office 365 account in order to see the RFQ. Email credentials are typically the most valued by threat actors, as they can hijack existing conversations and send additional phishing emails from the compromised account.

Alternatively, this link could have led to an impersonated Confluence page, where the user would enter their Confluence credentials in order to access the PDF. Once entered, the threat actor would have access to the organization’s Confluence workspace where they could view all internal documentation about the healthcare organization and potentially gain access to other, more private systems that contained personal patient information.

Why the Confluence Attack Bypassed Existing Security Infrastructure

Attackers are constantly looking for new ways to compromise targets and are adapting their methods to seem more official and real. Atlassian Confluence is one of many different applications that are used throughout the professional world and is one way that teams create and collaborate across a network of distributed employees.

Confluence is best known as a place to organize and share work, and while it is not used solely for file sharing, that is a key component of the system. Attackers took advantage and staged the malicious payload under the guise of an application that they knew the target would recognize. In addition, placing the phishing link on another site allowed the original email to bypass traditional security systems, which typically look only at the first link to determine malicious intent.

Despite the attempt cybercriminals made, Abnormal Security was able to detect several different indicators that the email was likely an attack.

Confluence attack analysis

Abnormal detected the unusual sender domain and the fact that all recipients were bcc’d—a common technique of attackers. Furthermore, Abnormal noticed the suspicious link, which redirected to another webpage. These different facets of attack, alongside thousands of other signals, were detected through the behavioral models and AI technology on which the Abnormal platform is built.

While Abnormal stopped this attack for the healthcare system, other recipients who were bcc’d may have fallen victim to this credential phishing attempt, particularly if their organizations regularly use Confluence for documentation. This attack would be particularly effective for organizations that regularly communicate with the original sender and who may be expecting an RFQ to be sent from them.

Are you prepared to stop credential phishing attacks from compromised accounts? See how Abnormal can help by requesting a demo today.

Previous
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Next
Blog podcast purple cover
Working at hyper-growth startups usually means that unreasonable expectations will be thrust on individuals and teams. Demanding timelines, goals, and expectations can lead to high pressure, stress, accountability, and ultimately, extraordinary growth and achievements.
Read More

Related Posts

Blog engineering cybersecurity careers
Cybersecurity Careers Awareness Week is a great opportunity to explore key careers in information security, particularly as there are an estimated 3.1 million unfilled cybersecurity jobs. This disparity means that cybercriminals are taking advantage of the situation, sending more targeted attacks and seeing greater success each year.
Read More
Blog hiring cybersecurity leaders
As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.
Read More
Cover automated ato
With an increase in threat actor attention toward compromising accounts, Abnormal is focused on protecting our customers from this potentially high-profile threat. We are pleased to announce that our new Automated Account Takeover (ATO) Remediation functionality is available.
Read More
Email spoofing cover
Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.
Read More
Cover cybersecurity month kickoff
It’s time to turn the page on the calendar, and we are finally in October—the one month of the year when the spooky becomes reality. October is a unique juncture in the year as most companies are making the mad dash to year-end...
Read More
Ices announcement cover
Abnormal ICES offers all-in-one email security, delivering a precise approach to combat the full spectrum of email-borne threats. Powered by behavioral AI technology and deeply integrated with Microsoft 365...
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Blog attack atlassian cover
Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known...
Read More
Blog podcast purple cover
Working at hyper-growth startups usually means that unreasonable expectations will be thrust on individuals and teams. Demanding timelines, goals, and expectations can lead to high pressure, stress, accountability, and ultimately, extraordinary growth and achievements.
Read More
Blog yellow skyline
No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside. Threat actors know this, and they’re taking advantage of human emotions.
Read More
Blog rising building
There is little doubt that business email compromise and other advanced email threats are causing significant damage–both financial and reputational—to organizations worldwide. Because these never-before-seen attacks contain few indicators of compromise, they evade secure email gateways and other traditional email infrastructure...
Read More