Credential Phishing Email Attack Flow
To build a sense of trust in the victim, this email attack impersonated a recognized brand. Hence, the attackers used legitimate logos and company branding across the malicious email. Particularly they included fake landing page, in order to exfiltrate the victims’ sensitive PII data.
Researchers say the email was titled “[External] For name of recipient on Today, 2022”, with each user’s actual name listed as the recipient. The body of the email claimed the recipient had two messages that were awaiting a response.
The body of the email holds two bad URLs – one associated with the main call-to-action button and the other was shadowed as an unsubscribe link.
“The email included a Zoom logo at the top in order to instill trust in the recipient that the email communication was a legitimate business email communication from Zoom – instead of a targeted, socially engineered email attack”, Armorblox researchers
The email took victims to a fake landing page which appeared similar like a legitimate Microsoft login page. Then, the victims were prompted to enter his or her Microsoft account password (sensitive PII data).
Notably, the threat attackers used a valid domain, which displayed a ‘trustworthy’ reputation score with just one infection reported in the last 12 months.
“The email attack bypassed native Microsoft Exchange email security controls because it passed all email authentication checks: DKIM, SPF, and DMARC”, Armorblox
Armorblox quickly acted and blocked the emails from reaching unsuspecting recipients. Therefore, researchers recommended organizations to enhance built-in email security with layers that take a materially different approach to threat detection.
Also, be cautious of social engineering cues and implement multi-factor authentication and password management best practices to reduce the impact of credentials being exfiltrated.