DigitalXRAID are currently observing an ongoing phishing campaign targeting business email accounts with a view to harvest credentials. Once credentials are harvested it appears that the threat actor utilises them for gathering further information and relies on password re-use behaviour to further compromise other business applications with the same account. At present, the ultimate goal of the attacker is not clear. However this type of activity is typical of Business Email Compromise attacks, where a threat actor will compromise accounts and gather information for later use to commit further attacks, financial fraud and targeted attacks.
- The observed emails are sent via open or compromised mail servers owned by legitimate organisations.
- The suspicious emails use enticing subject lines (eg. COMPANY NAME – INVOICE PAYABLE).
- The suspicious emails use the name of the initial phishing victim in the email address (eg. Bob[a]legitimatedomain[d]com) with an email signature depicting the initial victims legitimate contact details.
- Various sample emails have been analysed by DigitalXRAID analysts and while using different phishing landing pages, have been determined as being part of the same campaign.
- The email samples analysed by DigitalXRAID include image links to (what appear to be) compromised websites that are used to host phishing pages for Dropbox, Smartsheet & other business SaaS providers.
- When the victim unwittingly clicks the malicious link, they are presented with a replica login page of a legitimate SaaS provider that requests credentials to log in.
- Once the victim gives up their credentials, the malicious page then prompts the user for their mobile telephone number to confirm their identity. It is assumed that these details are harvested for further compromise.
- Once the victim has filled in both credential prompts, they are redirected to the login page of the legitimate SaaS provider, a technique used to try and evade user suspicion.
- The specific actions of the threat actor are unknown at this point. However, it appears that the compromised credentials are used in some way to further compromise other acquaintance organisation via phishing much like the initial attack.
DigitalXRAID advise all clients, partners and associates to exercise caution when opening unexpected emails. As always, ensure that the sender is legitimate and trusted before following any links and opening any attachments.
No indicators of compromise have been included at this time due to ongoing investigations. DigitalXRAID Analysts continue to monitor the situation and will provide updates via this article should further details become available.