Security researchers observed that malicious actors had incorporated a targeted company’s homepage into a message quarantine phishing campaign.

The Cofense Phishing Defense Center found that the phishing campaign began with an attack email that disguised itself as a message quarantine notification from the targeted company’s IT department.

AppSec/API Security 2022

The email informed the recipient that the company’s email security service had quarantined three messages, which included two pieces of correspondence deemed “valid” by that service.

It then informed the recipient that the email security service would delete those messages within three days unless they reviewed those emails by clicking on an embedded “Review Messages Now >>” link.

A screenshot of the phishing email. (Source: Cofense)

In the event that the recipient interacted with the link, the campaign sent them to a login screen that appeared to be hosted on the company’s website.

Cofense examined this technique in more detail and found out what was going on. It observed that the phishing link was designed to pull the homepage of the company included in the original recipient’s email address. As quoted from its research:

… [F]urther analysis has determined that the page being seen is actually the company’s website home page with a fake login panel covering it. This gives the employee a greater comfort level, by displaying to a familiar page. It is also possible to interact with this page by moving outside of the overlay, showing that it is the actual page they have seen and used before.

This overlay prompted the user to interact with the login form and to authenticate themselves using their company account. At that point, the campaign sent the victim’s credentials off to a server under the attackers’ control.

The phishing page with an overlay covering Cofense’s homepage. (Source: Cofense)

This attack highlights the need for (Read more...)