In what looks to be an email phishing attempt driven by credential harvesting, around 75k email inboxes have been affected so far.
This week, Armorblox security researchers saw the attack on client systems across Google Workspace environments, Office 365, and Microsoft Exchange. Threat actors targeted small groups of personnel from various divisions inside a company in several attacks, ostensibly preserving a low profile.
So far, there’s no proof that the attackers are targeting a specific industry. However, the attacks have harmed Armorblox clients in various sectors, including energy, local government, higher education, software, and electrical construction.
Individuals within organizations tend to perform targeted attacks because the victims are a mix of top executives and regular employees from across the organization. When these persons get a suspicious email, they are unlikely to interact with one another often. This raises the chances of someone being a victim of the attack.
Phishing is still one of the most common methods threat actors use to tighten the grip on a target network.
According to the Anti Phishing Working Group (APWG), phishing activities increased by 100 percent in 2020. It observed 222,127 phishing incidents alone in June 2021. During the past quarter, financial institutions and social media companies were the most often attacked.
Armorblox stated this week that a bait spoofing an encrypted message notification from email encryption and security provider Zix was used in the assault. While the notification was not identical to a real Zix notification, it was close enough to fool users into thinking they had received a legitimate email.
The domain used by the threat actors to send the malicious email belongs to a religious organization founded in 1994 and is most likely a deprecated or outdated version of the parent domain.
If there is one explanation for the email going past current security safeguards, it was sent from a genuine domain. That’s why the email was able to evade all authentication tests. The remaining campaign – like other phishing schemes – focused on brand imitation and social engineering to convince victims to click on a phony Zix notification.
In the attacks observed by Armorblox, the threat actor appeared to have avoided targeting many individuals from a single department. Instead, they seem to have picked victims from a variety of departments in order to maximize the chances of someone falling for the phishing email.
From a security viewpoint, organizations should strengthen native email security controls with capabilities for identifying behavior, language, communication, and other patterns that might assist in identifying a phishing effort.
