PHISHING threat identified

What happened?
A malicious and successful email campaign is currently circulating and has affected users in our area. The email is generated by harvesting credentials to a user’s email account, then performing nefarious activities using these credentials.

How was it identified?
*The email contains fluent English language phrases that are consistent with legitimate business activities between the victim and target.
*Attached file is an Adobe PDF document named scan0010.pdf. When opening the document, users are redirected to a document hosted on Microsoft OneDrive and requests email/Office 365 credentials.
*No legitimate action or instruction is offered past the user’s entry of the username and password.

This is an example of the file and text (the text in the message body has been different on other email samples, and is usually found to be legitimate)

This is the redirect page that eventually steals credentials, since the site is hosted on Microsoft OneDrive, the activity is ALLOWED through most content filters, security devices, and antivirus programs.

Why is this important? Attackers use stolen credentials for many reasons, including:
*Access emails that are sensitive to the organization (bids, invoices, employee or client data).
*Pose as the recipient to send emails to contacts attempting to steal their credentials, these contacts may believe the email came from a trusted source, especially since the content of the email is crafted based on research within the email account and may be relevant to activities with the legitimate parties.
*Inserting themselves in business processes to perform fraudulent bank and wire related activities
*Attempt to use the stolen username and password on other websites (bank, government, email).

What you can do… 
*Report the receipt of unexpected emails, especially those that request a username/password or include attachments, to your information security or IT resource.
*Verify the authenticity of any email that requests a username and password (or includes a file attachment) prior to performing any other actions.
*Be highly suspicious of professional business emails containing grammatical errors that request action such as clicking a link or opening an attachment.
*IT and security operators should be vigilant in investigating emails with characteristics similar to the email below.
*If a user falls victim to credential theft, change the password associated with the account.  Retrieve and preserve message logs (activity and send/receive) since the time credentials were compromised.  Inspect the logs for any unusual activity to assess further damage.

If you have any questions or need any assistance dealing with this threat, please don’t hesitate to reach out to us at 601-401-2404.

Shane Adams, CISSP, CISM
Principal, CIO & CISO Practice
Applied Technology Group

Leave a Reply