A large-scale phishing campaign has been discovered with the unique ability to dynamically generate content. Unlike a generic phishing attempt, this new approach is capable of dynamically changing its content based on the targeted organisation. Similar to a spear-phishing attack, this increases the attack’s legitimacy as the phishing site appears more convincing to the victim.
The core structure of the phishing attack is comprised of two key components. Firstly, the malicious email that contains the link and secondly, the phishing site used to harvest user credentials.
Researchers have identified that the spam emails are being distributed through the initial victim, patient zero, whose account has been compromised. Using the compromised account, the malicious email is sent to many internal contacts within the organisation, before proceeding to mass send outbound emails to further compromise external users. By sending the emails from a compromised account, particularly one within the organisation, this can trick the recipient into thinking the email is safe as it has come from another internal user.
The email itself is fairly simple and could potentially be recognized as a scam by a wary user. It is largely blank but contains a button with the text “Display this message” or “Display trusted message”. Clicking the button will not display any message but instead direct the victim to a phishing site.
An example of what is displayed in the email can be seen below:
Upon visiting the phishing site, the content is dynamically generated based on the email suffix of the victim. The site downloads the target company logo and favicon to produce a rather convincing login page, which steals information about the victim and their device.
Further research shows that the phishing sites are associated with multiple domains that change regularly and are hosted on short lived Azure servers, which are not known to be bad by many threat intelligence providers.
An example of what the phishing page would look like for a user with the email suffix “@marks-and-spencer.com” can be seen below:
How can I prevent this?
Recommended preventative actions for this attack method are as follows:
- Enable auditing in Office 365 to generate email alerts on logon activity from unauthorized source countries, and alert when users configure email forwarding rules.
- Ensure your business has a correctly configured SPF record to mitigate the chance of being the victim of email spoofing based attacks, and to reduce the risk of trusted third parties, clients and supply chain partners falling victim to email spoofing attacks where an attacker poses as your business.
- Enable multi factor authentication for Office 365 accounts where possible prioritising VIP users such as directors, IT staff, finance department and managers.
- It is essential that all employees are trained in detecting, reporting and helping to prevent common attack methods such as phishing emails, fraud and common malware distribution methods such as via an exploit kit or Trojan. Additionally it is important that this training is kept up to date and that employees are aware of new trends in attack methods to reduce security risk to the business.
- Subscribe to a threat intelligence provider who keeps up to date with the latest attack trends in order to provide actionable block lists so that even if a user has fallen for a phishing email, if the phishing page has been seen by security researchers before it will be blocked.