Original Post from Abnormal Security
Author: Abnormal Security
In this attacker, the attacker impersonates the recipient’s company in order to send out a phishing attack.
Quick Summary of Attack Target
Platform: Office 365
Email Security Bypassed: ProofPoint
Payload: Malicious Link
What was the attack?
Setup: Email platforms are continuously trying to prevent spam emails from entering recipients’ inboxes. In this attack, the attacker impersonates Microsoft Office 365, informing the recipient that three of their emails have been restricted from entering their inbox, emulating behavior from many email platforms when emails are suspected to be spam.
Email Attack: In order to deceive the recipient, the attacker impersonated the company’s internal mail system, Microsoft Office 365, by changing the display name. But upon further investigation, the email is not coming from a registered Microsoft domain or from the recipient’s company’s domain, but rather from ‘okura-group.com.’ Further, the attacker actually uses a method known as spoofing where, although the email appears to come from okura-group.com, authentication fails and it is revealed that the actual sending domain is mwprem.net. This domain was registered through a hosting service and is also not a Microsoft domain.
Payload: This email contains a hyperlink through “Recover_Messages” that directs the recipient to ro-.xyz, where there is a reCAPTCHA, making the website seem authentic. After completing the reCAPTCHA, the recipient is faced with a legitimate-looking landing page that looks identical to the Microsoft Office login page. Here, the recipient’s email address is already entered and they are prompted to hit next. After the recipient continues, there is another landing page that also looks nearly identical to the Microsoft Office login page where they are asked to input their password, thus revealing their credentials to the attacker.
Result: If the recipient does input their credentials on the fake Microsoft login page, the attacker will have their login information. The attacker can then access any personal or company information the user has in their email and continue to send other attacks to the user’s contacts through the compromised account, thus leading to more compromised accounts.
Why is this attack effective?
Convincing Landing Page: The reCAPTCHA that the recipient is faced with on the landing page helps to make this attack convincing. After completing the reCAPTCHA, they are also faced with a landing page that looks nearly identical to that of the Microsoft Office login page. The only indication that this is not the official Microsoft Office login page is when looking at the URL which is “ro-k.xyz”. This domain was registered on November 9, 2020, making it very suspicious, and has no relevance to Microsoft.
Trend: Microsoft Office has become a common target for impersonations. Attackers are using different Microsoft platforms to try and lead users into revealing their credentials. With the current state the world is in and so many people working from home, it is important that people are still mindful of possible attacks when opening their emails.
Go to Source
Author: Abnormal Security