Proofpoint Phish Harvests Microsoft O365, Google Logins

A savvy campaign impersonating the cybersecurity company skated past Microsoft email security.

Phishers are impersonating Proofpoint, the cybersecurity firm, in an attempt to make off with victims’ Microsoft Office 365 and Google email credentials.

According to researchers at Armorblox, they spotted one such campaign lobbed at an unnamed global communications company, with nearly a thousand employees targeted just within that one organization.

“The email claimed to contain a secure file sent via Proofpoint as a link,” they explained in a posting on Thursday. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.”

Infosec Insiders Newsletter

The email lure was a file purportedly linked to mortgage payments. The subject line, “Re: Payoff Request,” was geared to fool targets into thinking it was part of ongoing correspondence, which adds an air of legitimacy while also lending urgency to the proceedings.

“Adding ‘Re’ to the email title is a tactic we have observed scammers using before – this signifies an ongoing conversation and might make victims click the email faster,” according to the analysis.

If users clicked on the “secure” email link embedded in the message, they were taken to the splash page with Proofpoint branding and the login spoofs.

“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively,” researchers explained. “Both flows asked for the victim’s email address and password.”

Because the phish replicated workflows that already exist in many users’ daily lives (i.e., receiving email notifications when files are shared with them via the cloud), attackers were banking on users not questioning the emails too much, researchers noted.

“When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action,” according to the analysis.

In terms of infrastructure, the email was sent from a compromised but legitimate email account belonging to a fire department in Southern France. This helped the phish evade detection by Microsoft’s native email security filters, according to Armorblox, which noted that the emails were marked with a spam risk level of “1.” In other words, they weren’t flagged as spam at all.

Also, the phishing pages were hosted on the “greenleafproperties[.]co[.]uk” parent domain.

“The domain’s WhoIs record shows it was last updated in April 2021,” researchers said. “The URL currently redirects to ‘cvgproperties[.]co[.]uk.’ The barebones website with questionable marketing [increases] the possibility that this is a dummy site.”

Attacks like these use social engineering, brand impersonation and the use of legitimate infrastructure to bypass traditional email security filters and users’ eye tests. To protect against such campaigns, Armorblox offered the following advice:

  1. Be aware of social engineering: Users should subject email to an eye test that includes inspecting the sender name, sender email address, language within the email and any logical inconsistencies within the email (e.g. Why is the email coming from a .fr domain? Why is a mortgage-related notification coming to my work email?).
  2. Shore up password hygiene: Deploy multi-factor authentication (MFA) on all possible business and personal accounts, don’t use the same password on multiple sites/accounts and avoid using passwords that tie into publicly available information (date of birth, anniversary date, etc.).

Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for “An Intro to OSquery and CloudQuery,” a LIVE, interactive conversation with Eric Kaiser, Uptycs’ senior security engineer, about how this open-source tool can help tame security across your organization’s entire campus.

Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at becky.bracken@threatpost.com.

Suggested articles