Phishers are masquerading as the cybersecurity firm Proofpoint in an effort to steal victims’ Microsoft Office 365 and Google email credentials.
According to Armorblox analysts, they discovered one such effort aimed against an undisclosed multinational communications corporation, with roughly a thousand personnel targeted just within that organization.
“The email claimed to contain a secure file sent via Proofpoint as a link,” they explained in a posting on Thursday. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.”
The email’s enticement was a file ostensibly related to mortgage payments. The subject line, “Re: Payoff Request,” was designed to trick recipients into believing it was part of an ongoing conversation, offering credibility while also adding urgency to the proceedings.
“Adding ‘Re’ to the email title is a tactic we have observed scammers using before – this signifies an ongoing conversation and might make victims click the email faster,” according to the analysis.
Users who clicked on the “secure” email link included in the message were sent to a splash page with the Proofpoint logo and login spoofs.
“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively,” researchers explained. “Both flows asked for the victim’s email address and password.”
Researchers stated that because the phish reproduced routines that are already present in many users’ daily life (for example, receiving email alerts when files are shared with them over the cloud), attackers were betting on users not investigating the emails too much.
“When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action,” according to the analysis.
In terms of infrastructure, the mail was sent through a hacked but genuine email account belonging to a Southern French fire department. According to Armorblox, this let the phish avoid detection by Microsoft’s native email security filters, as the emails were designated with a spam risk rating of “1.” In other words, they were never identified as spam.
“The domain’s WhoIs record shows it was last updated in April 2021,” researchers said. “The URL currently redirects to ‘cvgproperties[.]co[.]uk.’ The barebones website with questionable marketing [increases] the possibility that this is a dummy site.”
Social engineering, brand impersonation, and the exploitation of genuine infrastructure are used in these attacks to circumvent typical email security filters and consumers’ eye checks. Armorblox recommended the following precautions to avoid such campaigns:
- Be aware of social engineering
Users should analyze the sender name, sender email address, language inside the email, and any logical errors within the email (e.g., why is the email coming from a.fr domain? Why is a mortgage-related message being sent to my work email address?).
- Shore up password hygiene
Deploy multi-factor authentication (MFA) on all potential personal and corporate accounts, avoid that use the same password on different sites/accounts, and prevent using passwords that reference publicly available data (date of birth, anniversary date, etc.).