As the COVID-19 vaccines become more available, many companies are allowing their workers to return to their offices. While this is a step in the right direction, it is still important that employees follow proper procedures and security protocols to ensure their safety.
The Cofense Phishing Defense Center (PDC) alerts about a phishing campaign that tries to gather employee credentials by posing as the chief information officer (CIO) at their company. This campaign is another example of how easily credentials can be compromised to evade secure email gateways.
The email looked to had been sent from a company insider, with the company logo appearing in the header. The threat actor, pretending to be an executive, in the newsletter explains the company’s new procedures and changes related to the pandemic.
Researchers warn that at this time, many companies are implementing changes in their operations and employee policies. This could lead to the exploitation of these changes by hackers.
If an employee opened the email, they were redirected to a Microsoft SharePoint page displaying two documents that seem to be legitimate. Instead of simply providing a link that will take a victim to a phishing website, attackers use documents as an additional step that adds more credibility to the attack.
Having inspected these documents, Cofense Phishing Defense Center (PDC) confirmed they were not authentic and were instead phishing mechanisms to harvest account credentials.
Upon clicking the documents, victims are provided with a login panel. This is uncommon among Microsoft phishing pages, as the usual tactic of spoofing the Microsoft login screen involves opening an authenticator panel.
By seeeing the files that looked legitimate instead of the login panel, the users are more likely to provide their credentials in order to access the policy updates.
Another technique that Cofense researchers have seen is the use of an error message that says your account or password is not correct – “Your account or password is incorrect.” After entering login information several times, the employee will be taken to a Microsoft page. This gives an impression that the login information was correct and the victim soon may forget the whole experience.
In reality, the threat actor got full access to the account holder’s information and is ready for further malicious activities like account takeover, identity theft, and more.