Enterprise cloud services used for nasty phishing campaign
Phishing emails — the type that seem to come from legitimate sources but are actually ploys for stealing access credentials or delivering malware — have become even more difficult to spot in recent times. In fact, a newly discovered phishing campaign pretends to come from companies’ help desks and use enterprise cloud services to pull it off. Here’s how the scam works:
Hackers send an email that seems to come from real IT help desk domains
The email message itself copies a run-of-the-mill notification about emails being withheld from the receiver’s inbox because the mail storage capacity is full. The message has two buttons, namely RELEASE EMAILS and CLEAN-UP CLOUD.
The first option seeks the user’s permission to have the queued emails delivered to their inbox, though this may make the incoming messages bounce or cause mailbox malfunctions. The second option seeks permission to clean their mail server and make room for new messages. The message claims that if the user does not take action, important emails that can’t get to their inbox may be lost completely.
The From field of the email displays “email@example.com” or other similar addresses that a real IT department would use for its corporate help desk. While it is easy to spoof (i.e., make a fake copy of) a sender domain like the one above, examining email headers can reveal that the originating domain is not the same. This mismatch is a telltale sign of email spoofing.
In the new campaign, the originating domain matches the sender domain, allowing the email to bypass spam filters more easily. However, a red flag comes in the form of an intermediary domain in between the originating and sender domains. This means either of two possibilities:
The mail servers of the legitimate domain have been hijacked and are being used by hackers to send emails; or
Hackers sending the email from the intermediary domain found a way to forge the originating domain so that the email doesn’t look spoofed.
A closer inspection of the email headers may also reveal the lack of validations from email authentication protocols such as DMARC, DKIM, and SPF.
Cybercriminals use enterprise cloud services to host their landing pages
When the phishing email recipient clicks on any of the two buttons provided in the email body:
They are led to a page with a legitimate Microsoft Dynamics 365 URL, which immediately redirects to…
...a phishing landing page that’s hosted on IBM Cloud. There, they’ll be asked to log in to update their account. However, this is a spoofed login page from which cybercriminals can steal the victim’s access credentials.
A savvy user might enter fake credentials to test the login page. However, if the false password they provide lacks the length or complexity required by IBM Cloud, then they’ll be greeted with a “Wrong password” error message. This helps to erase doubts about the login page’s authenticity.
When the victim enters their real access credentials, the cybercriminals steal these. The victim is then led to a fake settings update confirmation page, which is hosted on Microsoft Azure.
Often, poorly crafted phishing landing pages don’t have Secure Sockets Layer (SSL) certificates. This glaring absence makes it easy for web browsers to mark such pages as unsafe. However, cybercriminals work around this by having the domains of their landing pages hosted on IBM Cloud, Microsoft Azure, and Microsoft Dynamics. This way, the pages get free SSL certificates that mask their illicit nature.
The identifiers of this type of email phishing campaign are far less noticeable than the usual phishing markers like mismatched originating and sender domains. Your organization needs to keep abreast of the latest cybersecurity developments — or better yet, have an ally in an astute service provider like SimplyClouds.