December 14, 2020
Roman Tobe
Threat researchers at Abnormal Security discovered a coordinated spear phishing campaign targeting numerous enterprise organizations last week. The attackers compromised hundreds of legitimate accounts and are sending emails in rapid succession to organizations. The content of the emails originate from impersonated businesses such as eFax and include personalized ‘Doc Delivery’ notifications. The embedded URLs redirect to fake, never-seen-before Microsoft O365 spear phishing pages hosted on digital publishing sites like Joom, Weebly and Quip, of which hundreds have been detected. When one email is detected and caught, the attackers appear to be running a script that changes the attack to a new impersonated sender and phishing link to continue the campaign.
The widespread use of hundreds of compromised accounts and never-seen-before URLs indicate the campaign is designed to bypass traditional threat intelligence solutions accustomed to permitting known but compromised accounts into the inbox.
Example Doc(s) Delivery Attack
As noted above, the attackers are impersonating businesses such as eFax and sending emails from a compromised account (redacted). The above example is one of many similarly crafted campaigns that originate from multiple compromised accounts. While this may seem counterintuitive on the attackers part to send an eFax notification from an unrelated compromised account, it’s a clever tactic by the attackers and problematic for the organization because compromise attacks will bypass traditional threat intelligence based solutions. The reason the bypass works is because the compromised email addresses are known and trusted by the organization based on prior and legitimate communications. As a result, they are also trusted by the SEG and delivered to the employees inbox despite containing numerous malicious signals including a well-disguised spear phishing link.
Malicious Payload
If the “View Documents” link is clicked within the phishing email, it leads to a hosted Joom, Weebly, or Quip landing page where the employee is asked to click on another “View Documents” link. The attacker attempts to legitimize the campaign with official-looking landing pages similar to those used by eFax. If the employee clicks “View Documents” on the landing page, they are taken to a credential phishing page that attempts to steal their O365 credentials.
As noted above, the attackers are using more than one landing page template in an attempt to steal credentials.
Impact on Organization
Example of an Abnormal Security Threat Log for an affected customer during Passive Mode that has not activated auto-remediation of malicious threats.
The volume, recency and spread of phishing attempts across numerous employees and organizations indicates the attackers are determined in their efforts. As noted in the example above, the attacks are being detected and caught by Abnormal’s system on a near hourly basis across several organizations.
To further complicate issues for the employees and organization, many recipients are forwarding the phishing attempts to their personal email addresses in order to open them through personal accounts.
How Abnormal Stops These Attacks
Abnormal Security automatically detects and remediates attacks such as these using a combination of Identity and Content analysis.
Protect Your Organization from Advanced Phishing Attempts
If your organization has experienced similar phishing campaigns and are interested in how Abnormal Security can protect your employees, request a demo to learn more.
Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:
Abnormal is the email security company that stands for trust.
© 2020 Abnormal Security Corporation.
All rights reserved.