Each Blox Tale will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on a credential phishing attempt that impersonated the internal IT team with an email that asked readers to review a secure message sent over Microsoft Teams. Clicking the link led readers to a page designed to look like Microsoft Teams, followed by a credential phishing page that resembled the Office 365 login portal.
A summary of the attack flow is given below:
Fig: Summary of the Microsoft Teams credential phishing attack
A few days ago, we saw a credential phishing attempt to land in multiple customer inboxes. This email claimed to come from the company’s IT team and asked readers to review a secure message their colleagues had shared over Microsoft Teams, a popular business collaboration solution. Clicking the link took the targets to a page resembling Microsoft Teams, which further redirected to the credential phishing site resembling the Office 365 login portal. A snapshot of the email is given below:
A screenshot of the email is given below:
Fig: Email where attackers impersonate Microsoft Teams and direct readers to review a secure message
Why The Attack Got Through
This email got past existing Office 365 security controls because it didn’t follow the tenets of more traditional phishing attacks.
1. Got past email authentication checks
Although the sender name - IT Service Team - impersonated an internal company department, the email was sent from a legitimate domain that allowed it to successfully pass any authentication checks. The domain for the email - livingsourceresidential[.]com’ - belongs to a real estate agency in New York City. It’s possible that attackers got hold of an employee’s credentials at Living Source Residential and subsequently used the legitimate email account to launch follow-on attacks.
2. Phishing pages hosted on legitimate sites
Both the phishing pages in this attack flow were hosted on reputed sites, enabling the attack to get past any filters used to block known bad domains. The first phishing page - resembling Microsoft Teams - used webflow[.]io as its parent domain. Webflow is an online visual editor platform intended for designing, building, and launching websites. The attackers seem to have used a sub-domain for Webflow that’s an older version. Webflow is hosted on webflow.com and not webflow[.]io today.
Fig: Page resembling an update from Microsoft Teams
When readers clicked ‘Secure Link’ on the page presented above, they were led to the final phishing site resembling the Office 365 login portal. This page used ‘sites[.]google[.]com’ as its parent domain and was seemingly built using Google Sites. The malice of the page’s intent was hidden behind the legitimacy of the page’s domain.
Fig: Final credential phishing page resembling the Office 365 login portal, created using Google Sites
Both these pages would pass most eye tests during busy mornings (which is when the email was sent out), with people happily assuming it to be legitimate Microsoft pages. By hosting phishing pages on legitimate parent domains, attackers are able to evade security controls based on URL/link protection and get past filters that block known bad domains.
3. Socially engineered
Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The sender name impersonated the company’s internal IT team, making the email likely to get past eye tests when people glanced through it amidst hundreds of other emails in their overflowing mailboxes. The email language and topic was intended to induce urgency in the reader since their team was apparently sharing a secure message with them. The call to action - reading the secure message - is simple and effective.
A closer look reveals some irregularities with the email. The title says ‘Your tea are trying to reach you’. Either the attackers meant to write ‘teams’ and made a typo here or there’s an entire species of sentient beverages we haven’t discovered yet! There are some typos within the email body as well, which are clear red flags to anyone who stops and reads the email closely. The attackers bank on people not reading the email closely and following through with the intended action instead.
How Armorblox Detected The Attack
Armorblox was able to detect the email attack based on the following insights:
1. Language, intent, and tone
Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks).
2. Low communication history
Armorblox detected that the sender email in question had a low communication history with the victim’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.
3. Low domain frequency
Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model also detected that the attacker’s domain had not communicated with the target company as a whole.
Armorblox analyzes scores of signals related to the identity of every email’s sender and receiver. Since Armorblox knew the email alias for the real IT team, the platform detected this email as an impersonation attempt.
Based on the insights above, along with many other detection signals, Armorblox flagged the email as a credential phishing threat. The email was automatically deleted based on predetermined remediation actions for the credential phishing detection category.
If you found this attack overview interesting, you might also like to read our earlier Blox Tale focusing on an QuickBooks credential phishing attempt.