03 April 2020 Kathmandu
An effective spoofing campaign claims to inform users about new COVID-19 cases in their local area, scooting past Proofpoint and Microsoft Office 365 ATPs.
Threats are still steady, if not growing, amid the COVID-19 pandemic. Cybercriminals continue to capitalize on fears surrounding the coronavirus outbreak. The most recent one is the effective bypassing Proofpoint and Microsoft 365 Advanced Threat Protections (ATPs).
In fact, these two tools are popular among users as top email protection. However, attackers found a way to get past the security to lure users into their phishing campaign.
The Cofense Phishing Defense Center (PDC) discovered the new phishing campaign that uses socially engineered emails claiming access to important information on COVID-19 cases in the receiver’s local area.
Phishing Campaign 101
According to the researchers, the emails evade basic security checks and use logic to bypass detection. As a result, the attackers manage to steal user’s Microsoft credentials.
Regardless of enabling the secure email gateways designed for safeguarding users from clicking on malicious links and attachments, it still failed in this new phishing attack.
According to Cofense, these emails don’t include specific names or greetings in the body of the messages. This suggests that they are being sent out to a broad target audience.
“While these secure email gateways (SEGs) are designed to safeguard end users from clicking on malicious links and attachments, both failed in a new phishing attack we recently observed,” Cofense researcher Kian Mahdavi wrote in a post.
How This Phishing Campaign Works
To avoid detection by ATPs, the threat actor impersonates the domain splashmath[.]com – which is an online learning game for children. For this, it uses a spoofed IP address located in the United States, 167[.]89[.]87[.]104.
After further investigation, researchers found that the emails that were sent to a number of people didn’t come from the spoofed address. In fact, they came from an IP corresponding with the Lithuanian city of Kaunas.
This made the researchers believe that a single individual was behind the campaign.
“[Because of the proxy], the email slipped past basic security checks, such as DKIM and SPF,” Mahdavi wrote.
According to the research, the attackers are not just impersonating trusted sender’s email. Moreover, they are using keywords in the subject to trick the targeted victim into believing that the information is from a trusted source regarding COVID-19.
For instance, the words “WHO” and “community” in the email address (who[.]int-community[.][email protected] splashmath[.]com) aim to trick the user into believing that the mail is from the World Health Organization (WHO).
Similarly, the subject of the email – “HIGH-RISK: New confirmed cases in your city” – does the job of fooling users into thinking that it is an important and legitimate email.
Malicious Links Evade Detection
Cofense observed some malicious links used in the campaigns which include:
Additionally, these links display a high-quality, spoofed Microsoft login page when users click on them. This way, they are highly misleading to users.
Once the users enter their Microsoft credentials on the login page, they get into the hands of the threat actor.
This is not the first time attackers have used the keywords related to the Coronavirus to lure users to click on malicious links. In this phishing attack, users are directed to a Microsoft branded credential phish to steal their credentials.