{"id":89586,"date":"2021-02-03T18:08:44","date_gmt":"2021-02-03T12:38:44","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=89586"},"modified":"2023-06-20T16:54:28","modified_gmt":"2023-06-20T11:24:28","slug":"spear-phishing-targets-microsoft-to-amass-large-numbers-of-credentials","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/spear-phishing-targets-microsoft-to-amass-large-numbers-of-credentials\/","title":{"rendered":"Spear Phishing targets Microsoft to amass large numbers of credentials"},"content":{"rendered":"

We observed a considerable uptick in Phishing Attacks<\/a> during the COVID-19 pandemic. During our analysis, we came across a Spear Phishing Campaign<\/a> targeting high-profile individuals for credential harvesting. The emails that we analysed link to fake login pages mimicking Office 365 logins for the victim organizations.<\/p>\n

\"Fig.
Fig. 1 – Phishing attack flow<\/figcaption><\/figure>\n

Here is the technical analysis of a few of these Spear Phishing emails:<\/p>\n

Tax-invoice mail<\/h2>\n

Instances of malicious emails sent to high-value targets consisting of genuine-looking Tax-invoice(s)<\/strong> marked as confidential were observed in this campaign. This communication includes COVID-19 related information and senders\u2019 details \u2014 the latter pretends to be CEO of a bank from an east African country. However, the corresponding domain name is spoofed as the targeted user\u2019s organization\u2019s finance department (blurred in red) in an attempt to make the email appear as legitimate as possible.<\/p>\n

\"Fig.
Fig. 2 – Fake Tax Invoice email<\/figcaption><\/figure>\n

In the image above, the domain \u2018tld\u2019<\/strong> in the \u2018sent from\u2019 indicates that is related to the African country of Malawi<\/strong>.<\/p>\n

A malicious URL is embedded in the call to action in this email as seen below –<\/p>\n

https[:]\/\/AAAA[.]israelandamerica[.]com\/95125?[base64-encoded-targetID]=&&mic#73747?xxxx=xxxx=<\/em><\/strong><\/p>\n

This URL contains the targeted user organization name (AAAA) as sub-string & target victim email ID in base64 encoded format.<\/p>\n

When the targeted user clicks on open, it will redirect and land on a fake page with a different URL as shown below. The fake phishing page looks exactly like Microsoft Office\u2019S Login Page. Redirected URL can have targeted user organization\u2019s sub-string to make the user believe about the legitimacy of the website.<\/p>\n

Targeted email Id is rendered from embedded URLs as base64 encoded.<\/p>\n

\"Fig.
Fig. 3 \u2013 Fake Landing Page<\/figcaption><\/figure>\n

In the below image, organizational (blurred) sub-string are present along with the logo of the organization with the target\u2019s email ID.<\/p>\n

\"Fig.4
Fig.4 – Password field<\/figcaption><\/figure>\n

To make this look all the more genuine, the attacker also displays an important message for the targeted user.<\/p>\n

No matter what password is inputted, this step will always error out tricking the user into clicking \u2018reset password\u2019. Once, reset password clicked, It will open a similar login page with a new URL which includes encoded email ID to render.<\/p>\n

 <\/p>\n

\"Fig.5
Fig.5 – Password reset page<\/figcaption><\/figure>\n

 <\/p>\n

During traffic analysis, we found that entered password along with email ID is posted to a remote server in background traffic.<\/p>\n

\"Fig.6
Fig.6 – Posting Credentials to the remote server<\/figcaption><\/figure>\n

Targeted user\u2019s email\/password<\/strong> is sent with user\/pass<\/strong> parameters in POST request.<\/p>\n

TLS certificate for this domain has a short-term validity from 30-Dec-20 to 30-March-21 \u2014IPs 199.19.225.191 & 20.37.247.74 are found & associated with domains during analysis. The domain lifespan was short & it also identified the multiple browser\/user agent after some attempts and redirects to normal websites with domain numerical sub string changes in each attempt.<\/p>\n

It is also identified that attacker to be targeting top-level officials from various organizations with encoded email Ids which appear like the attacker\u2019s \u2018Hitlist\u2019<\/p>\n

Phishing email with Voice mail as an attachment<\/h2>\n

Similar phishing attempt was identified with embedded script in audio message emails as below. In this type of attack, the email contains a Japanese domain, mapped with the target organization\u2019s name which is \u2018CALLER\u2019 in this instance.<\/p>\n

\"Fig.1
Fig.1 – Email from the attacker<\/figcaption><\/figure>\n

The script embedded in the mail had hex-encoded code with an URL that lands to a phishing site<\/a>.\u00a0Hidden parts contain base64 encoded in targeted user email ID.<\/p>\n

\"Fig.2
Fig.2 – Hex encoded script<\/figcaption><\/figure>\n

 <\/p>\n

\"Fig.3
Fig.3 – Decoded script<\/figcaption><\/figure>\n

In the above-decoded script, phishing<\/a> URL can be seen wherein the parameter \u201ce\u201d<\/strong> contains the base64 encoded value of the target user\u2019s email id. Once the above script is executed, the user gets redirected to a phishing page.<\/p>\n

\"Fig.4-
Fig.4- reCaptcha validation<\/figcaption><\/figure>\n

In the image below, we can see a fake Office 365 landing page with the organization\u2019s logo. Email ID of the target user is rendered from encoded script URL parameter value.<\/p>\n

\"Fig.5
Fig.5 – Fake credential input page<\/figcaption><\/figure>\n

After entering the password, It gives an error for the 1st attempt \u2014 it would show validation success message then redirect voice audio clip. The credentials would be posted to a remote server.<\/p>\n

\"\"<\/p>\n

 <\/p>\n

The audio clip is a short mp3 message regarding a request to call. Re-attempt for main kfd-d0k[.]club may lead to normal websites. Subdomains are related to Latin America with a short lifespan and TLS certificates are also valid for a few months.<\/p>\n

\u201cTo execute spear phishing<\/strong> attacks, malicious vectors would have the list of target email Ids and organizational details. Exploitation attempts can be initiated via emails\/IM or any other methods with embedded scripts\/URLs. The end goal of attackers is to harvest the credentials of the high-value individuals to disturb the organizations, lead to scams, steal critical information, etc<\/em>.<\/em><\/p>\n

Tips to spot phishing attacks<\/h2>\n

 <\/p>\n

Validate Email Sender details<\/strong>: Validate the sender’s email ID & names to check Impersonation.<\/p>\n

Check Subject Line<\/strong>:\u00a0 Check for words like urgency, Important & financial nature in the subject line.<\/p>\n

Verify the Links and Attachments<\/strong>: Check legitimacy by hovering over the links, scan the attachments.<\/p>\n

Message Content & Email format<\/strong>:\u00a0 Carefully read the nature of the email, intention, check grammatical errors & visual style and verify email signature.<\/p>\n

Subject Matter Experts<\/h3>\n

Prashant Tilekar<\/strong><\/p>\n

Shiv Mohan<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

We observed a considerable uptick in Phishing Attacks during the COVID-19 pandemic. During our analysis, we came across a Spear Phishing Campaign targeting high-profile individuals for credential harvesting. The emails that we analysed link to fake login pages mimicking Office 365 logins for the victim organizations. Here is the technical analysis of a few of […]<\/p>\n","protected":false},"author":84,"featured_media":89619,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1772],"tags":[72,1773,365],"class_list":["post-89586","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-spear-phishing","tag-microsoft","tag-office-365","tag-spear-phishing"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89586"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/84"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=89586"}],"version-history":[{"count":12,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89586\/revisions"}],"predecessor-version":[{"id":91530,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89586\/revisions\/91530"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/89619"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=89586"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=89586"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=89586"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}