banner
Nov 7, 2021
9 Views
0 0

Proofpoint Phish Harvests Microsoft O365, Google Logins

Written by
banner

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
A savvy campaign impersonating the cybersecurity company skated past Microsoft email security.
Phishers are impersonating Proofpoint, the cybersecurity firm, in an attempt to make off with victims’ Microsoft Office 365 and Google email credentials.
According to researchers at Armorblox, they spotted one such campaign lobbed at an unnamed global communications company, with nearly a thousand employees targeted just within that one organization.
“The email claimed to contain a secure file sent via Proofpoint as a link,” they explained in a posting on Thursday. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.”

The email lure was a file purportedly linked to mortgage payments. The subject line, “Re: Payoff Request,” was geared to fool targets into thinking it was part of ongoing correspondence, which adds an air of legitimacy while also lending urgency to the proceedings.
“Adding ‘Re’ to the email title is a tactic we have observed scammers using before – this signifies an ongoing conversation and might make victims click the email faster,” according to the analysis.
If users clicked on the “secure” email link embedded in the message, they were taken to the splash page with Proofpoint branding and the login spoofs.
“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively,” researchers explained. “Both flows asked for the victim’s email address and password.”
Because the phish replicated workflows that already exist in many users’ daily lives (i.e., receiving email notifications when files are shared with them via the cloud), attackers were banking on users not questioning the emails too much, researchers noted.
“When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action,” according to the analysis.
In terms of infrastructure, the email was sent from a compromised but legitimate email account belonging to a fire department in Southern France. This helped the phish evade detection by Microsoft’s native email security filters, according to Armorblox, which noted that the emails were marked with a spam risk level of “1.” In other words, they weren’t flagged as spam at all.
Also, the phishing pages were hosted on the “greenleafproperties[.]co[.]uk” parent domain.
“The domain’s WhoIs record shows it was last updated in April 2021,” researchers said. “The URL currently redirects to ‘cvgproperties[.]co[.]uk.’ The barebones website with questionable marketing [increases] the possibility that this is a dummy site.”
Attacks like these use social engineering, brand impersonation and the use of legitimate infrastructure to bypass traditional email security filters and users’ eye tests. To protect against such campaigns, Armorblox offered the following advice:
Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for “An Intro to OSquery and CloudQuery,” a LIVE, interactive conversation with Eric Kaiser, Uptycs’ senior security engineer, about how this open-source tool can help tame security across your organization’s entire campus.
Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at becky.bracken@threatpost.com.
Share this article:
Malicious Phantom, MetaMask cryptowallets are on the prowl to drain victim funds. 
Invest and practice: Grant Oviatt, director of incident-response engagements at Red Canary, lays out the key building blocks for effective IR.
A fake Steam pop-up prompts users to ‘link’ Discord account for free Nitro subs.



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
The @FBI has seen an uptick in attacks against tribal casinos, with the #ransomware groups Bitpaymer, Conti, Cuba,… https://t.co/9aL0HRLNsn
2 days ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Cloud Security
banner

Comments are closed.