A highly-targeted phishing attack pretends to deliver subpoenas, but actually ends up collecting victims’ Office 365 credentials. The ongoing campaign has slipped by Office 365 and gateway security controls to hit several C-Suite level victims thus far.
The phishing emails spoof the U.S. Supreme Court, aiming to capitalize on scare tactics to convince targets to click on an embedded link. The email tells victims that it contains a writ issued by the Supreme Court, to compel them to attend a hearing. To view the subpoena, victims must click on the link.
“Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response,” said researchers with Armorblox in a Thursday analysis, shared exclusively with Threatpost. “The sender name impersonated the Supreme Court, making the email likely to get past eye tests when people glanced through it amidst hundreds of other emails in their overflowing mailboxes. The email language was terse and authoritative, including a CTA (call to action) in the email – View Subpoena – clearly describing the purpose of the email.”
While the email’s sender name labeled as the ‘Supreme Court,’ a closer look at the email addresses showed that they were unrelated (they came from court@flippintoacure[.]com or court@somersethillsevents[.]com).
“From a social-engineering lens, the email was crafted to trigger urgency and fear,” Chetan Anand, co-founder and architect with Armorblox, told Threatpost. “The email keeps things short so that targets click the link without reading (or thinking) too much…. busy employees often don’t have the time or luxury to think about every email in their inbox, and end up following through on the email’s action.”
Clicking the link takes the targets through multiple redirects, including two fully functioning CAPTCHA pages that not only add an air of legitimacy to the phish, but also make it harder for security technologies relying just on URL redirection abilities to follow the URL to its final destination, said researchers.
“The penultimate URL redirect in this attack leads users to a fully functioning CAPTCHA page,” said researchers. “Upon clicking the ‘I’m not a robot’ button, a real CAPTCHA image test pops up, stamping a clear seal of legitimacy on the email communication.”
The final credential landing page was painstakingly made to resemble an Office 365 login page, designed to collect targets’ Office 365 credentials. However, the domain for the page is ‘invoicesendernow[.]com’ which is clearly not a Microsoft page.
“This page would pass most eye tests during busy mornings, with people happily assuming it to be a legitimate Microsoft page,” said researchers. “A closer look at the domain reveals that this is a lookalike page built specifically for the target.”
While the campaign did take some sophisticated measures, a keen-eyed email recipient might be able to detect several red flags that gave away the phishing attack. For instance, in the CAPTCHA page, the page domains [‘docketsender[.]com’] don’t seem legitimate. The subheading of the CAPTCHA also makes a grammatical error, reading “Kindly verify you human.”
Anand told Threatpost that both the domains associated with the attack (docketsender[.]com and invoicesendernow[.]com) are based out of Kansas and were registered on May 12.
Because the attack was sent to “high-value targets” across organizations – including members of the C-Suite, finance teams, and accounting teams – Anand said the impact could be massive.
“Compromised credentials from these targets can be used to launch secondary attacks on other employees, customers, and third-party vendors,” he told Threatpost. “The credentials could also be used to exfiltrate sensitive or confidential data from the targets’ Office 365 accounts. Attackers are also sure to try the same login credentials to break into other business-critical applications (in case the targets have common passwords across apps).”
Researchers pointed to a similar phishing attack from last year, which claimed to deliver emailed subpoenas is targeting insurance and retail companies. The phishing emails spoofed the U.K. Ministry of Justice in order to ultimately infect victims with Predator the Thief, a publicly available information-stealing malware that’s not often seen in phishing campaigns.
Attackers continue to leverage phishing lures that might trigger anxiety in victims and spur them to hand over their credentials. That includes recent coronavirus-themed cyberattacks as panic around the global pandemic continues – including malware attacks, booby-trapped URLs and credential-stuffing scams. Researchers warned that users should continue to be on the lookout for phishing emails playing into fears around the coronavirus pandemic.
“We are seeing a big increase in credential phishing attacks against small, medium businesses,” said Anand. “These allow the attackers to then launch vendor email compromise or supply chain fraud kind of attacks from those organizations to larger companies that they work with. This attack was very much in line with that pattern.”
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.