SBN

Threat Actors Impersonate Email Security Providers to Steal User Credentials

SEGs Bypassed: Microsoft, Trend Micro, IronPort

By Shirish Lavania, Cofense Phishing Defense Center

In today’s world, each and every organization use email security to secure their infrastructure as email is a common entry point for attackers used for spreading phishing attacks, malwares and other types of threats. To this end, adversaries are continuously trying to bypass secure email gateways to carry out their attacks. Threat actors often disguise harmful URLs within HTML attachments, which makes it more challenging for Secure Email gateways (SEGs) to block them. The Phishing Defence Centre (PDC) analysed a phishing campaign impersonating email security provider to lure recipients into providing their user credentials via malicious HTML attachment.

 Figure 1: Email Body

Figure 1: Email Body

Figure 1 shows the user received an email from Forta, which is likely a misspelling of Fortra. The subject mentions an “essential encrypted company email” and a fake green banner states that the “sender is verified”, in an attempt from the sender to trick the user to click on the attachment. The email instructs the user authenticate with credentials in order to view the secure attached document.

Figure 2: HTML File

Figure 2: HTML File

The attachment in the email shows that the adversaries wanted to make it look legitimate by naming the html as “Secure_FortraATT_2736614.html” which is inside the “Attachment.zip” folder as seen in figure 2.

Threat Actors Impersonate Email Security Providers to Steal User Credentials

Figure 3: Email Body

In Figure 3 we see a similarly styled email that shows Fortra as the sender but makes mention of Proofpoint. The attacker tried to create a false sense of security to convince the user by including the footer “Secured by Proofpoint encryption”.
It is not uncommon for threat actors to use impersonation tactics in order to trick users into believing that an email is genuine.

Once the user clicks on the attachment, it presents a spoofed Microsoft login page with a Microsoft logo on it to make it more familiar to the user as seen in figure 4.

Figure 4: Fake Microsoft Landing Page

Figure 4: Fake Microsoft Landing Page

In figure 5, the threat actor styled the spoofed page as if it was a production login page.

Figure 5: Fake Production Login Page

Figure 5: Fake Production Login Page

Once the users login, the credentials are exfiltrated to the malicious URLs hxxps://office[.]topexecs[.]info/ for figure 4 and hxxps//library-query[.]info/login[.]php for figure 5.

This campaign unveils that the attackers are constantly improving their techniques to lure users and bypass security measures in order to steal useful information. Unfortunately, security solutions such as SEGs may not always be effective in stopping attachment threats and users end up opening them. An attentive user with the help of Cofense Reporter alerted us about this campaign upon realizing that this phishing email is asking for sensitive information.

Indicators of Compromise IP
hxxps//library-query[.]info/login[.]php 138.201.134.162
hxxps://office[.]topexecs[.]info/ 84.247.51.110
74.119.239.234

The post Threat Actors Impersonate Email Security Providers to Steal User Credentials appeared first on Cofense.

*** This is a Security Bloggers Network syndicated blog from Cofense authored by Cofense. Read the original post at: https://cofense.com/blog/threat-actors-impersonate-email-security-providers-to-steal-user-credentials/