In this attack, attackers infiltrate the account of a target’s known partner to steal valuable credential information.
Platform: Office 365
Email Gateway Bypassed: Proofpoint
Technique: Known partner compromise
Setup: This attack originates from a partner that has been compromised. The email infiltration is a trap set up by the attacker to steal valuable credential information and possibly breach company accounts.
Email Attack: This attack begins with the compromised partner sending what appears to be an encrypted message, which can be accessed by clicking on the specified text in the email. Hidden behind this text trap is an embedded hyperlink that redirects to a suspicious landing page, urging the recipient to download the available file. The download button redirects the victim again, and although the final landing page for this attack has been taken down, we have seen attacks like this in the past that bring the victim to a fake Microsoft sign-in page, asking for credentials to access the file.
Payload: There are two malicious link payloads in this attack. The first is hidden under the “BAYSHORE FAMILY OF COMPANIES” redirect, taking the recipient to ‘https://lily-cuervos-business-starter.webflow.io/’. This domain is not associated with Bayshore Recycling Corporation. Instead, this website hosts a fake document download page which would ultimately take the recipient to a Microsoft login landing page under the other malicious link, ‘https://toursundry.com/bayshore/onedrive-3D4/’. If the recipient does not pay close attention to these links, they could unknowingly relinquish their credentials to that attacker.
Result: If the recipient falls for this attack, their credentials will be compromised, opening up their account and any data contained to a possible breach. Additionally, this could jeopardize the data of the victim’s internal network by increasing the risk that the attacker will continue to send these phishing emails within the organization.
Compromised partner: This email is coming from the legitimate account of a partner that communicates with this customer relatively often. The originating domain of the email is an authenticated domain for this partner, and therefore is not spoofed. This indicates that the partner’s account has indeed been breached, rather than a lower-level impersonation attempt.
Urgency: The compromised partner is an account that the receiving company has interacted with several times, so the recipient will be motivated to quickly access the encrypted message and address its contents.
Convincing email and landing page: The email contains logos from the compromised partner, and provides the name, address, and contact information of the sender at the bottom. The landing pages hidden behind the malicious links are sophisticated impersonations of download and sign-in pages that an inattentive user could fall victim to.
Abnormal is the email security company that stands for trust.
© 2021 Abnormal Security Corporation.
All rights reserved.