Widespread ‘Doc(s) Delivery’ Spear-Phishing Campaign Targets Enterprises with Hundreds of Compromised Accounts

Threat researchers at Abnormal Security discovered a coordinated spear phishing campaign targeting numerous enterprise organizations last week. The attackers compromised hundreds of legitimate accounts and are sending emails in rapid succession to organizations. The content of the emails originate from impersonated businesses such as eFax and include personalized ‘Doc Delivery’ notifications. The embedded URLs redirect to fake, never-seen-before Microsoft O365 spear phishing pages hosted on digital publishing sites like Joom, Weebly and Quip, of which hundreds have been detected. When one email is detected and caught, the attackers appear to be running a script that changes the attack to a new impersonated sender and phishing link to continue the campaign.

The widespread use of hundreds of compromised accounts and never-seen-before URLs indicate the campaign is designed to bypass traditional threat intelligence solutions accustomed to permitting known but compromised accounts into the inbox.

Example Doc(s) Delivery Attack

As noted above, the attackers are impersonating businesses such as eFax and sending emails from a compromised account (redacted). The above example is one of many similarly crafted campaigns that originate from multiple compromised accounts. While this may seem counterintuitive on the attackers part to send an eFax notification from an unrelated compromised account, it’s a clever tactic by the attackers and problematic for the organization because compromise attacks will bypass traditional threat intelligence based solutions. The reason the bypass works is because the compromised email addresses are known and trusted by the organization based on prior and legitimate communications. As a result, they are also trusted by the SEG and delivered to the employees inbox despite containing numerous malicious signals including a well-disguised spear phishing link.

Malicious Payload

If the “View Documents” link is clicked within the phishing email, it leads to a hosted Joom, Weebly, or Quip landing page where the employee is asked to click on another “View Documents” link. The attacker attempts to legitimize the campaign with official-looking landing pages similar to those used by eFax. If the employee clicks “View Documents” on the landing page, they are taken to a credential phishing page that attempts to steal their O365 credentials.

As noted above, the attackers are using more than one landing page template in an attempt to steal credentials.

Impact on Organization

Example of an Abnormal Security Threat Log for an affected customer during Passive Mode that has not activated auto-remediation of malicious threats.

The volume, recency and spread of phishing attempts across numerous employees and organizations indicates the attackers are determined in their efforts. As noted in the example above, the attacks are being detected and caught by Abnormal’s system on a near hourly basis across several organizations.

To further complicate issues for the employees and organization, many recipients are forwarding the phishing attempts to their personal email addresses in order to open them through personal accounts.

How Abnormal Stops These Attacks

Abnormal Security automatically detects and remediates attacks such as these using a combination of Identity and Content analysis.

• Identity Signals: The attack was flagged by our system for having an Unusual Sender. 
  • Abnormal learns the commonly used email addresses for internal and external communications
  • The attack was flagged because we have never seen this particular email address having a relationship or talking with anyone in the targeted organization

• Domain Link Content Analysis: The attack was flagged for containing a suspicious link
  • Abnormal extracts direct links from email content as well as redirected links from embedded links, cloud-sharing documents, and attachments
  • We also provide the ability to preview links and attachments where customers can safely click on them to see a page preview
  • The attack was flagged as unusual because the message body contained a suspicious link that redirected to a phishing site

• Text Content Classification: Our models are trained and run on all messages processed by Abnormal. This is a core pillar used to detect the intent of the message. 
  • Our content detector is used to flag conversations related to stealing personal information, financial content, and invoice related content and more
  • And our model flagged the attack for containing language that may be trying to steal personal information

Protect Your Organization from Advanced Phishing Attempts

If your organization has experienced similar phishing campaigns and are interested in how Abnormal Security can protect your employees, request a demo to learn more.