Spam News

Free Google Services Abused in Phishing Campaigns

Several phishing campaigns have been identified that are using free Google services to bypass email security gateways and ensure malicious messages are delivered to inboxes.

Phishing emails often include hyperlinks that direct users to websites hosting phishing forms that harvest credentials. Email security gateways use a variety of methods to detect these malicious hyperlinks, including blacklists of known malicious websites, scoring of domains, and visiting the links to analyze the content on the destination website. If the links are determined to be suspicious or malicious, the emails are quarantined or rejected. However, by using links to legitimate Google services, phishers are managing to bypass these security measures and ensure their messages are delivered.

The use of Google services by phishers is nothing new; however, security researchers at Arborblox have identified an uptick in this activity that has coincided with increased adoption of remote working. The researchers identified 5 campaigns abusing free Google services such as Google Forms, Google Drive, Google Sites, and Google Docs.  It is not just Google services that are being abused, as campaigns have been detected that abuse other free cloud services such as Microsoft OneDrive, Dropbox, Webflow, SendGrid, and Amazon Simple Email Service.

One of the campaigns impersonated American Express, with the initial message requesting account validation as the user was found to have missed information when validating their card. The emails direct the user to a phishing page created using Google Forms. The form includes the official American Express logo and a short questionnaire requesting information that can be used by the attackers to gain access to their credit card account – login information, phone number, card number and security code, and security questions and answers.

Since the link in the email directs the user to Google Forms – a legitimate Google domain and service – it is unlikely that an email security gateway would identify the URL as malicious. “Google’s domain is inherently trustworthy and Google forms are used for several legitimate reasons, no email security filter would realistically block this link on day zero,” explained the Armorblox researchers.

Another campaign used Google Forms in a classic phishing lure. The emails appear to have been sent by a childless widow who has been diagnosed with terminal cancer. She is looking to donate her fortune to good causes, with the recipient of the message told that the widow would like them to make donations to good causes on her behalf. The hyperlink directs the user to an untitled Google Form. Should anyone proceed and submit an answer to the untitled question, they will be shortlisted for further extortion attempts.

A campaign was detected that used a fake email login page hosted on Google’s Firebase mobile platform, which is used to create apps, files, and images. The emails in this campaign impersonate the security team and claim important emails have not been delivered due to the email storage quota being exceeded. The campaign targets email login credentials. The link to the Firebase would be unlikely to be identified as malicious since it is a legitimate cloud storage repository.

Google Docs has also been abused in a campaign in which the payroll team is impersonated, with the Google Docs document containing a link to a phishing page where sensitive information is harvested. Since the initial link is to a legitimate and commonly used Google service, it is unlikely to be blocked by email security solutions. While some email solutions would be able to identify the malicious link in the Google-hosted document, various redirects are used to obfuscate the malicious link.

A campaign was also identified that impersonated the user’s IT department security team and Microsoft Teams, using a fake Microsoft login page hosted on Google Sites. Google Sites is a legitimate service that allows individuals to easily create webpages, but in this case has been used to create a webpage hosting a phishing form, complete with the genuine Microsoft logo.

Campaigns abusing trust in Google Docs have also been identified by researchers at Area 1 Security. The messages in that campaign impersonated the HR department and claimed the recipient had been terminated, with the Google Docs document providing details of the termination and severance pay. The document contains a malicious macro that, if allowed to run, will download the Bazar Backdoor and Buer loader malware. IRONSCALES also recently reported that around half of all sophisticated phishing campaigns were successfully bypassing the leading email security gateways.

The campaigns range from highly targeted attacks on specific groups of individuals, such as HR and payroll departments, to untargeted large-scale ‘spray and pray’ campaigns to obtain as many credentials as possible, using more general lures.

These campaigns highlight the need for advanced security solutions that are capable of identifying and blocking phishing emails that abuse legitimate cloud services and the need for ongoing security awareness training for employees to help them identify phishing emails that evade detection by their organization’s cybersecurity defenses.

The post Free Google Services Abused in Phishing Campaigns appeared first on HIPAA Journal.

Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services

Connecticut Department of Social Services (DSS) has reported a potential breach of the protected health information of 37,000 individuals as a result of a series of phishing attacks that occurred between July and December 2019.

Several email accounts were compromised and were used to send spam emails to several DSS employees, the investigation of which confirmed the phishing attacks. A comprehensive investigation was conducted using state information technology resources and a third-party forensic IT firm, but no evidence was found to indicate the attackers had accessed patient information in the email accounts. According to the DSS breach notice, “Due to the large volume of emails involved and the nature of the phishing attack, the forensic efforts could not determine with certainty that the hackers did not access personal information.”

Identity theft protection services have been offered to affected individuals as a precaution and steps have been taken to improve email security and better protect against phishing attacks in the future.

More Than 92,000 Individuals Affected by Mercy Iowa City Phishing Attack

Mercy Iowa City has started notifying 92,795 individuals that some of their protected health information was potentially compromised in a phishing attack. The attack involved a single email account which was accessed by an unauthorized individual between May 15, 2020 and June 24, 2020. The email account was used to send spam and phishing emails.

A review of the compromised account revealed it contained names, dates of birth, Social Security numbers, driver’s license numbers, treatment information, and health insurance information. Individuals whose driver’s license number or Social Security number were potentially compromised have been offered complimentary credent monitoring services for 12 months.

Mercy Iowa City has implemented additional safeguards to prevent further attacks, including multi-factor authentication on email accounts.

LSU Health Care Services Suffers Phishing Attack

The Louisiana State University (LSU) Health New Orleans Health Care Services Division has announced that an unauthorized individual has accessed the email account of an employee and potentially viewed or obtained the information of patients of several hospitals in Louisiana.

The email account was breached on September 15, 2020. The attack was discovered on September 18 and the email account was immediately disabled. An investigation was launched but no evidence was found to indicate patient information in the emails and attachments was accessed or obtained by the individual responsible.

A review of the breached email account revealed it contained the protected health information of patients of the following hospitals:

  • University Medical Center in Lafayette
  • Lallie Kemp Regional Medical Center in Independence
  • Leonard J. Chabert Medical Center in Houma
  • O. Moss Regional Medical Center in Lake Charles
  • Bogalusa Medical Center in Bogalusa
  • Interim LSU Hospital in New Orleans.
  • Earl K. Long Medical Center in Baton Rouge

The types of information potentially compromised varied from patient to patient and medical center to medical center, but may have included names, phone numbers, addresses, medical record numbers, account numbers, dates of birth, Social Security numbers, dates of service, types of services received, insurance ID numbers, and a limited number of financial account information and health information. The investigation into the breach is continuing, but so far “thousands” of patients are known to have had their information exposed.

LSU Health is currently evaluating additional security measures to better protect against further attacks and additional information security training has been provided to employees.

The post Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services appeared first on HIPAA Journal.

Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users

Office 365 users have been warned about an ongoing phishing campaign which harvests user credentials. The campaign uses sophisticated techniques to bypass email security gateways and social engineering tactics to fool company employees into visiting websites where credentials are harvested.

A variety of lures are used in the phishing emails which target remote workers, such as fake password update requests, information on teleconferencing, SharePoint notifications, and helpdesk tickets. The lures are plausible and the websites to which Office 365 users are directed are realistic and convincing, complete with replicated logos and color schemes.

The threat actors have used a range of techniques to bypass secure email gateways to ensure the messages are delivered to inboxes. These include redirector URLs that can detect sandbox environments and will direct real users to the phishing websites and security solutions to benign websites, to prevent analysis. The emails also incorporate heavy obfuscation in the HTML code.

Microsoft notes that the redirector sites have a unique subdomain that includes a username and the targeted organization’s domain name to add realism to the campaign. The phishing URLs have an extra dot after the top-level domain, after which is the Base64 encoded email address of the recipient. The phishing URLs are often added to compromised websites, rather than used on attacker owned domains. Since many different subdomains are used, it is possible to send large volumes of phishing emails and evade security solutions.

Office 365 credentials are highly sought after. Email accounts can be accessed and used for further phishing attacks, business email compromise scams, and the accounts often contain a wealth of sensitive data, including protected health information. Once an attacker has access to the Office 365 environment, they can access sensitive stored documents, and conduct further attacks on the organization.

Microsoft explained that Microsoft 365 Defender for Office 365 can detect phishing emails in this campaign and resolve attacks, but a recent study by IRONSCALES has shown that many email security gateways fail to block these sophisticated phishing threats.

The Israel-based security firm recently published data from a test of the leading secure email gateways and found they failed to block around half of advanced phishing attempts, including spear phishing and social engineering attacks. The company used its Emulator to test the effectiveness of five of the top secure email gateways, including Microsoft’s Advanced Threat Protection (APT), and simulated real-world phishing scenarios to see how each performed.

For the tests, IRONSCALES conducted 162 emulations (16,200 emails) against the top 5 secure email gateways and found 47% of the emails were delivered to inboxes – 7,614 emails.  The penetration rate – the percentage of emails that bypassed the secure email gateways – ranged from 35% to 55% across the 5 tested security solutions.

The leading secure email gateways were effective at blocking emails containing malicious attachments, with only 4% being delivered to inboxes, and just 3% of emails containing links to malicious files were delivered. However, they were far less effective at blocking social engineering and email impersonation attacks, which accounted for 30% of all successfully delivered emails. Domain name impersonations accounted for 25% of the delivered emails. These emails linked to a domain name that had the right records set in the DNS. Emails containing links to URLs containing fake login pages were delivered 16% of the time.

The tests highlighted the need for AI-driven security solutions that have natural language understanding and the importance of providing security awareness training to the workforce, as many of these advanced phishing threats will reach end user inboxes.

The post Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users appeared first on HIPAA Journal.

Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware

A new phishing campaign is being conducted using the TrickBot botnet which delivers the Bazar backdoor and Buer loader malware. The campaign was detected by researchers at Area 1 Security and has been running since early October.

The Bazar backdoor is used to gain persistent access to victims’ networks, while the Buer loader is used to download additional malicious payloads. Previously, Buer has been used to deliver ransomware payloads such as Ryuk and tools such as CobaltStrike.

Area 1 Security researchers detected two email lures in this campaign. One is a fake notification about termination of employment and the other a fake customer compliant. The employment termination email appears to have been sent by an authority figure in the head office of the company being targeted and states that the individual has been terminated. Further information on the termination and payout are provided in a document that appears to be hosted on Google Docs.

If the link is clicked, the user will be directed to a Google Doc decoy preview page and is advised to click another link if they are not redirected. That link directs them to a URL where a file download is initiated. The user will be presented with a security warning asking if they want to run the file. Doing so launches a PE32+ executable on Windows systems and triggers a sequence of events that results in the download of either the Buer loader or the Bazar backdoor. Constant Contact links are also being used in this campaign.

The use of cloud services for hosting malicious documents is now commonplace. It is a tactic used to bypass security solutions that scan attached files for malicious code such as macros. By linking to legitimate cloud services, some security solutions will fail to detect the link as malicious and will deliver the emails to users’ inboxes. Should the links in the emails be classified as malicious by URL scanning security solutions, the attackers can simply switch to different URLs.

Last month Microsoft announced a takedown operation that saw it take control of the infrastructure used by the operators of TrickBot. This major operation was only temporarily effective at disrupting the botnet infrastructure. Microsoft said the takedown operation was only likely to be temporary, as the TrickBot operators would likely rebuild their operation on different infrastructure.

Area 1 Security researchers note that this campaign resumed after just two days after the takedown of the botnet and, this time around, the TrickBot gang is using sinkhole resistant EmerDNS TLDs, which make any further takedown attempts difficult.

The post Phishing Campaign Uses Employment Termination Lure to Deliver Bazar and Buer Malware appeared first on HIPAA Journal.

Office 365 Users Targeted in Microsoft Teams Phishing Scam

A new Office 365 phishing campaign has been detected by researchers at Abnormal Security that spoofs Microsoft Teams to trick users into visiting a malicious website hosting a phishing form that harvests Office 365 credentials.

Microsoft Teams has been adopted by many organizations to allow remote workers to maintain contact with the office. In healthcare the platform is being used to provide telehealth services to help reduce the numbers of patients visiting healthcare facilities to control the spread of COVID-19.

Microsoft reported in in a June call announcing financial earnings for the quarter ended June 30, 2020 that Microsoft Teams is now used by more than 150 million students and teachers. More than 1,800 organizations have more than 10,000 Teams users, and 69 organizations have more than 100,000 users. The use of Microsoft Teams in healthcare has also been growing, with 46 million Teams meetings now being conducted for telehealth purposes. The increase in usage due to the pandemic has presented an opportunity for cybercriminals.

According to figures from Abnormal Security, the latest campaign has seen the fake Microsoft Teams emails sent to up to 50,000 Office 365 users so far. The messages appear to be sent from a user with the display name “There’s new activity in Teams,” making the messages appear to be automated notifications from Teams.

The messages advise users to login as the Team community is trying to get in touch. The emails include a button to click to login to Teams that has the display text – “Reply in Teams.” The messages include a realistic looking footer with the Microsoft logo and options to install Microsoft Teams on iOS and Android.

The links in the email direct the user to a Microsoft login page that is a carbon copy of the official login prompt, aside from the domain on which the page is hosted. That domain starts with microsftteams to make it appear genuine.

The campaign is one of many targeting Office 365 credentials and there have been several campaigns targeting videoconferening platforms in response to the increase in popularity of the solutions during the pandemic.

Emotet Trojan Campaign Uses Fake Microsoft Word Upgrade Notifications

The Emotet Trojan is being spread in a new campaign that uses fake Microsoft Word upgrade notifications as a lure to get users to install the malware. Emotet is the most widely distributed malware currently in use. Infection with the malware sees the user’s device added to a botnet that is used to infect other devices. Emotet is also a malware downloader and is used to install information stealers such as TrickBot and QBot malware, which are used to deliver ransomware variants such as Ryuk, ProLock, and Conti.

The messages appear to be Microsoft Office notifications that advise the user that they need to perform an upgrade of Microsoft Word to add new features. The messages have a Microsoft Word attachment and the user is instructed to Enable Editing and then Enable Content. Doing so will launch a malicious macro which will download Emotet onto the user’s device

Users should exercise caution and should avoid clicking links or opening attachments in unsolicited emails. Since Emotet hijacks the user’s email account to send further phishing emails, the messages may even be sent from an individual in the user’s contact list.

The post Office 365 Users Targeted in Microsoft Teams Phishing Scam appeared first on HIPAA Journal.

Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE

A sophisticated COVID-19 themed phishing campaign has been detected that spoofs chemical manufacturers and importers and exporters offering the recipient personal protective equipment (PPE) such as disposable face masks, forehead temperature thermometers, and other medical supplies to help in the fight against COVID-19.

The campaign was detected by researchers at Area 1 Security, who say the campaign has been active since at least May 2020 and has so far targeted thousands of inboxes. The threat actors behind the campaign regularly change their tactics, techniques, and procedures (TTPs) to evade detection by security tools, typically every 10 days.

The threat actors regularly rotate IP addresses for each new wave of phishing emails, frequently change the companies they impersonate, and revise their phishing lures. In several of the intercepted emails, in addition to spoofing a legitimate company, the names of real employees along with their email addresses and contact information are used to add legitimacy. The emails use the logos of the spoofed companies and the correct URL of the company in the signature. By including correct contact information, should any checks be performed by the recipient they may be led to believe the message is genuine.

Source: Area 1 Security

The aim of the threat actors is to deliver the Agent Tesla Trojan. Agent Tesla is an advanced remote access Trojan (RAT) that gives the attackers access to an infected device, allowing them to perform a range of malicious actions. The RAT is capable of logging keystrokes on an infected device and stealing sensitive information from the user’s AppData folder, which is sent to the command and control server via SMTP. The malware can also steal data from web browsers, email, FTP and VPN clients.

The RAT is offered on hacking forums as malware-as-a-service and has proven popular due to the ease of conducting campaigns and the low cost of using the malware, although the researchers note that Agent Tesla can be downloaded for free via a torrent available on Russian websites. The malware includes a User interface (UI) that allows users to track infections and access data stolen by the malware.

The RAT is delivered a compressed file attachment. If the attachment is extracted, the recipient will be presented with an executable file with a double extension, that will appear to be a .pdf file. Since Windows is configured by default to hide known file extensions, the extracted file will appear to be a.pdf file when it is actually an executable file. The display name is “Supplier-Face Mask Forehead Thermometer.pdf”, but the actual file is “Supplier-Face Mask Forehead Thermometer.pdf.exe” or “Supplier-Face Mask Forehead Thermometer.pdf.gz”.

The hash is frequently changed to avoid being detected as malware by security solutions. When the hash is changed, the malware will not be detected by signature-based security solutions until definitions are updated to include the new hash.

The attackers also take advantage of flaws in the configuration of email authentication protocols such as DMARC, DKIM, and SPF when spoofing the domains of legitimate companies.

According to the researchers, the attackers are mostly using a shotgun approach, rather than spear phishing emails on a select number of targets; that said, the researchers have identified some targeted attacks on executives of Fortune 500 companies.

Since the campaign is regularly updated to evade detection by security solutions, it is important to raise awareness of the campaign with employees to prevent them inadvertently installing the malware.

The post Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE appeared first on HIPAA Journal.

Study Reveals Increase in Credential Theft via Spoofed Login Pages

A new study conducted by IRONSCALES shows there has been a major increase in credential theft via spoofed websites. IRONSCALES researchers spent the first half of 2020 identifying and analyzing fake login pages that imitated major brands. More than 50,000 fake login pages were identified with over 200 brands spoofed.

The login pages are added to compromised websites and other attacker-controlled domains and closely resemble the genuine login pages used by those brands. In some cases, the fake login is embedded within the body of the email.

The emails used to direct unsuspecting recipients to the fake login pages use social engineering techniques to convince recipients to disclose their usernames and passwords, which are captured and used to login to the real accounts for a range of nefarious purposes such as fraudulent wire transfers, credit card fraud, identity theft, data extraction, and more.

IRONSCALES researchers found the brands with the most fake login pages closely mirrored the brands with the most active phishing websites. The brand with the most fake login pages – 11,000 – was PayPal, closely followed by Microsoft with 9,500, Facebook with 7,500, eBay with 3,000, and Amazon with 1,500 pages.

While PayPal was the most spoofed brand, fake Microsoft login pages pose the biggest threat to businesses. Stolen Office 365 credentials can be used to access corporate Office 365 email accounts which can contain a range of highly sensitive data and, in the case of healthcare organizations, a considerable amount of protected health information.

Other brands that were commonly impersonated include Adobe, Aetna, Alibaba, Apple, AT&T, Bank of America, Delta Air Lines, DocuSign, JP Morgan Chase, LinkedIn, Netflix, Squarespace, Visa, and Wells Fargo.

The most common recipients of emails in these campaigns with individuals working in the financial services, healthcare and technology industries, as well as government agencies.

Around 5% of the fake login pages were polymorphic, which for one brand included more than 300 permutations. Microsoft login pages had the highest degree of polymorphism with 314 permutations. The reason for the high number of permutations of login pages is not fully understood. IRONSCALES suggests this is because Microsoft and other brands are actively searching for fake login pages imitating their brand. Using many different permutations makes it harder for human and technical controls to identify and take down the pages.

The emails used in these campaigns often bypass security controls and are delivered to inboxes. “Messages containing fake logins can now regularly bypass technical controls, such as secure email gateways and SPAM filters, without much time, money or resources invested by the adversary,” explained IRONSCALES. “This occurs because both the message and the sender are able to pass various authentication protocols and gateway controls that look for malicious payloads or known signatures that are frequently absent from these types of messages.”

Even though the fake login pages differ slightly from the login pages they spoof, they are still effective and often successful if a user arrives at the page. IRONSALES attributes this to “inattentional blindness”, where individuals fail to perceive an unexpected change in plain sight.

The post Study Reveals Increase in Credential Theft via Spoofed Login Pages appeared first on HIPAA Journal.

Survey Confirms Increase in Phishing and Email Impersonation Attacks

The COVID-19 pandemic has seen an increase in email impersonation attacks on businesses, according to the latest State of Email Security report from Mimecast. In the first 100 days of 2020, email impersonation attacks increased by 30%.

The report was based on a survey conducted on behalf of Mimecast by Vanson Bourne on 1,025 IT decision makers in the U.S., UK, Germany, Netherlands, Australia, South Africa, United Arab Emirates (UAE), and Saudi Arabia between February and March 2020, while businesses were battling the COVID-19 pandemic. Mimecast also analyzed more than 1 billion emails screened by the company’s email security solutions.

60% of respondents to the survey reported an increase in email impersonation attacks such as business email compromise (BEC) over the past 12 months. There were an average of 9 email or web spoofing incidents detected by respondents in the past year, although there may be many others that they did not identify.

DMARC is important for protecting against email impersonation attacks and preventing brand damage. While 97% of respondents were aware of DMARC, worryingly, only 27% of respondents said they use it.

Ransomware continues to be a problem for businesses. 51% of respondents said ransomware had impacted their business in the past 12 months, with the attacks causing an average of 3 days of downtime.

58% of respondents said there had been an increase in phishing attacks over the past 12 months. 72% of respondents said the level of phishing had stayed the same or had increased, compared to 69% when the survey was last conducted in 2019.

IT decision makers do not hold out much hope that the situation will improve. 85% of respondents said they thought email and web-based spoofing attacks will either continue at the same level or increase over the next 12 months. There is also not a great deal of confidence about repelling these attacks. 60% said it is either inevitable or likely that they will experience an email-related data breach.

The relatively bleak outlook may have been influenced by the changes that have had to be made to working practices as a result of the pandemic. Transitioning from a largely office-based workforce to one that is almost entirely home based has introduced new risks and has made it harder for IT security teams to repel attacks.

Even though there is a high risk of experiencing an attack, there is still a lack of cyber resilience preparedness, and the value of regular security awareness training for the workforce does not appear to be appreciated. Despite the risk of phishing, spear phishing, and other email-based attacks, 55% of respondents said they do not provide security awareness training to the workforce on a regular basis and 17% said they only provide security awareness training once a year.

The attacks are proving costly to businesses. 31% of respondents said they experienced data loss and business interruption as a result of an email attack, and 29% said they experienced downtime as a result of a lack of preparedness.

The report also shows that email security defenses are lacking at many businesses. 40% do not have a system for monitoring and protecting against email-based attacks or data leaks in internal emails, 39% do not monitor or protect against email-based malware, and 42% do not have a system that automatically removes malicious or unwanted emails from employee’s inboxes.

The survey revealed businesses are aware of the importance of having a cyber resilience strategy. In 2019, 75% of respondents said they either had or were rolling out such a strategy. The percentage increased to 77% this year. Considering the number of respondents that have experienced data loss, downtime, and drops in productivity due to email attacks, those strategies cannot be implemented too soon.

The post Survey Confirms Increase in Phishing and Email Impersonation Attacks appeared first on HIPAA Journal.

Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign

A phishing campaign has been identified that uses fake VPN alerts as a lure to get remote workers to divulge their Office 365 credentials.

Healthcare providers have increased their telehealth services during the COVID-19 public health emergency in an effort to help prevent the spread of COVID-19 and ensure that healthcare services can continue to be provided to patients who are self-isolating at home.

Virtual private networks (VPNs) are used to support telehealth services and provide secure access the network and patient data. Several vulnerabilities have been identified in VPNs which are being exploited by threat actors to gain access to corporate networks to steal sensitive data and deploy malware and ransomware. It is therefore essential for VPN systems to be patched promptly and for VPN clients on employee laptops to be updated. Employees may therefore be used to updating their VPN.

Researchers at Abnormal Security have identified a phishing campaign that impersonates a user’s organization and claims there is a problem with the VPN configuration that must be addressed to allow the user to continue to use the VPN to access the network.

The emails appear to have been sent by the IT Support team and include a hyperlink that must be clicked to install the update. The user is told in the email that they will be required to supply their username and password to login to perform the update.

This campaign targets specific organizations and spoofs an internal email to make it appear that the email has been sent from a trusted domain. The hyperlink has anchor text related to the user’s organization to hide the true destination URL to make it appear legitimate. If the user clicks the hyperlink in the email, they will be directed to a website with a realistic Office 365 login prompt. The phishing webpage is hosted on a legitimate Microsoft .NET platform so has a valid security certificate.

Fake VPN Alert Phishing

Source: Abnormal Security

Login credentials entered on the site will be captured by the attacker and can be used to access the individual’s Office 365 email account and obtain sensitive data in emails and attachments, as well as other data accessible using the Office 365 credentials through single sign-on.

Abnormal Security has found a variety of phishing emails that use variations of this message, which have been sent from several different IP addresses. Since the destination phishing URL is the same in each email, it suggests that the emails are part of the same campaign and have been sent by a single attacker.

The post Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign appeared first on HIPAA Journal.