An uptick in phishing attempts the usage of a fake and badly created Office 365 credentials update form in the guise of Google Docs is taking place, according to a new Cofense report.
Cofense discovered that the phishing emails originated from a compromised automated mail account with privileged access to financial services provider CIM Finance. By the usage of CIM Finance's website to host their phishing emails, the malicious players ensured that their messages could pass necessary email protection checks together with DKIM and SPF.
After creating a shady email account with privileged access to CIM Finance, the perpetrators used the CIM Finance internet site to ship a flow of phishing emails. They are then cleared of the first email protection checks as emails originate from a valid source.
Cyber-criminals utilized Google Docs for phishing campaigns
Cofense's Europe director Dave Mount told SC Media that phishing risk players have long abused cloud services to supply malicious payloads through Google Forms.
"In this campaign and others like it, Google Forms is used to create faux Microsoft login pages to harvest company consumer credentials."
The emails themselves masqueraded as notifications from the IT crew informing recipients that "[updating the user's] Office 365" is needed to prevent the suspension in their accounts. By creating this experience of urgency, nefarious individuals tried to strain recipients into clicking on the "Update Now" button.
Appearing like a notification from the "IT company team," the email also informs the target that their Office 365 has expired, and it needs to be "up to date" soon. As expected, the targets panic and click on the phishing link, providing their details right into a poor copy of the Microsoft Office 365 login page. The discerning eye can spot the danger here, Cofense's blog wrote.
According to Cofense, the threat actor installed a staged Microsoft form hosted on Google that gives the real SSL certificates to entice give up recipients to believe the users would be connected to a Microsoft page related to their company. "However, [the users] are instead linked to an external website hosted by Google," said Cofense.
"Half the words are capitalized, and letters are replaced with asterisks; examples include the keywords 'email' and 'password.' In addition, when cease users type their credentials, they seem in the simple text in place of asterisks, elevating a red flag. The login page isn't always real. Once the user enters credentials, the records are then forwarded to the threat leads through Google Drive."
ALSO READ : Sophisticated Google Docs Phishing Attack Looks Legit: Here's What To Do If You're A Victim
Impact of said phishing 'tough to track'
The Cofense Phishing Defense Center was alerted by the company's clients about the campaign. However, the reach of this particular marketing campaign is not yet assessed.
According to Mount, the impact of specific campaigns are "tough to track" and is typically not in the purview of Cofense. However, Mount said any credentials harvested by using campaigns like this could cause a widespread compromise or statistics breach.
Cofense has seen hundreds of examples of phishing emails using Google Forms as the payload for harvesting person credentials, said Mount. Other not unusual cloud offerings that are frequently abused via phishing hazard players include OneDrive, Sharepoint.Com, Google Docs, WeTransfer, and Dropbox.
Alerted users could spot such campaigns most of the time
However, alert and aware users can spot such campaigns most of the time, Mount stated.
End-customers, according to Mount, must be able to document suspicious emails to their security teams and to enable them to take suitable action to understand the warning.