Search This Blog

Proofpoint Phish Harvests Credentials from Microsoft Office 365 and Google Email

Microsoft's email security was beaten by a clever campaign imitating the cybersecurity firm.

 

Phishers are posing as Proofpoint, a cybersecurity company, in order to steal victims' Microsoft Office 365 and Google email credentials. According to Armorblox analysts, one such effort was launched against an undisclosed global communications business, with roughly a thousand personnel targeted solely within that company. 

“The email claimed to contain a secure file sent via Proofpoint as a link,” they explained in a posting on Thursday. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.” 

A file apparently related to mortgage payments was the email's bait. The subject line, "Re: Payoff Request," was designed to trick targets into thinking it was part of an ongoing conversation, offering validity to the proceedings while also adding urgency. Users were led to a splash page with Proofpoint branding and login spoofs if they clicked on the "secure" email link embedded in the message. 

“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively,” researchers explained. “Both flows asked for the victim’s email address and password.”

Researchers discovered another phishing campaign that appears to be abusing an Amazon service called Amazon Simple Email Service (SES), which allows developers to send email messages from their apps. According to Kaspersky, the campaign was based on a now-revoked stolen SES token used by a third-party contractor during the testing of the website 2050.earth. The 2050.earth website is a Kaspersky initiative that includes an interactive map depicting the future impact of technology on the Earth, as predicted by futurologists. Because the 2050.earth site is housed on Amazon's infrastructure, the stolen SES token is linked to Kaspersky and SES. 

Noreply@sm.kaspersky.com is one of the sender addresses used in these emails. The security alert cautioned that they come from a variety of sources, including Amazon Web Services infrastructure. The stolen SES token was only utilized in a restricted way, according to the company, as part of a larger campaign that targeted many brands. 

Social engineering, brand impersonation, and the utilization of genuine infrastructure are used in attacks like these to get through typical email security filters and consumers' eye checks. Armorblox made the following suggestions to protect against similar campaigns: 

 • Be wary of social engineering: Before opening an email, users should perform a visual inspection that involves looking at the sender's name, email address, language, and any logical flaws. 

 • Improve password hygiene: Implement multi-factor authentication (MFA) on all potential corporate and personal accounts, avoid the usage of the same password across several sites/accounts, and avoid passwords that are linked to publicly available data.
Share it:

Cyber Security

Login Credentials

Microsoft 365

Multi-factor authentication

Phishing Campaign