The latest attempts at phishing involves using a fake and poorly executed Microsoft Office 365 credentials update form in the guise of Google Docs is taking place. A Cofense report reveals the phishing emails originated from a compromised automated mail account with privileged access to financial services provider CIM Finance.
By using CIM Finance’s website to host their phishing emails, the malicious players ensured their messages could pass necessary email protection checks together with DKIM and SPF.
Google Forms is used to create faux Microsoft login pages to harvest company consumer credentials
Cofense’s Europe director Dave Mount
After creating a suspect email account with privileged access to CIM Finance, the hackers used the CIM Finance internet site to ship a flow of phishing emails.
This technique avoids the first email protection checks because the electronic messages originate from a valid source.
Cofense’s Europe director Dave Mount told SC Media phishing risk players have long abused cloud services to supply malicious payloads through forms like Google Docs.
READ MORE Sky TV and Netflix are facing new competition from a very familiar rival
- Microsoft could be making this huge change to Windows 10
He said: ”In this campaign and others like it, Google Forms is used to create faux Microsoft login pages to harvest company consumer credentials.”
The emails themselves pose as notifications from the IT crew informing recipients “updating the user’s Office 365” is needed to prevent the suspension in their accounts.
By creating this sense of urgency, criminals tried to persuade the public into clicking on the “Update Now” button.
Masquerading as a notification from the “IT company team”, the email also informs the target their Office 365 has expired, and it needs to be immediately updated.
Many targets panic and click on the phishing link, providing their details right into Microsoft Office 365 login page imitation.
However, a discerning eye should be able ti spot the danger.
According to Cofense, the threat actor installed a staged Microsoft form hosted on Google providing the real public key certificate (SSL) certificates to entice surrender recipients to believe the users would be connected to a Microsoft page related to their company.
Cofense added: ”However, the users are instead linked to an external website hosted by Google.
EE price rise coming soon but new freebie will soften the blow
BT customers face the hidden Virgin Media costs
Android fans could be secretly charged HUNDREDS
- Why Google Maps could get a HUGE boost from Apple’s next upgrade
“Half the words are capitalised and letters are replaced with asterisks; examples include keywords ‘email’ and ‘password’.
Additionally, when users enter their credentials, they are seen in the simple text in place of asterisks, elevating a red flag.
The login page is not always real. Once the user enters credentials, the records are then forwarded to the threat leads through Google Drive.
The Cofense Phishing Defense Center was alerted by the company’s clients about the campaign.
However, the reach of this particular marketing campaign has yet to be yet assessed.
According to Mount, the impact of specific campaigns are “tough to track” and is typically not in the purview of Cofense.
However, Mr Mount believes any credentials harvested by using campaigns like this could cause a widespread compromise or statistics breach.
He thinks Cofense has seen hundreds of examples of phishing emails using Google Forms as the payload for harvesting person credentials.
Other cloud offerings frequently abused via phishing hazard players include OneDrive, Sharepoint.Com, Google Docs, WeTransfer, and Dropbox.
Source: Read Full Article