Each Blox Tale will take a look at a targeted email scam, outline why it made its way into an inbox, and provide tips and recommendations to protect against such attacks. In this blog, we’ll focus on an email attack that pretends to share information about an EFT payment with a link to download an HTML invoice. Opening the HTML loads a page with Microsoft Office branding that’s hosted on Google Firebase. The final phishing page looks to extract the victims’ Microsoft login credentials, alternate email address, and phone number.
Org mailboxes: ~20,000
Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender for Office 365
Techniques used: Social engineering, link redirects, HTML hosted on Google Firebase, brand impersonation
This email attack bypassed native Microsoft email security controls. Microsoft assigned a Spam Confidence Level (SCL) of ‘1’ to this email, which meant that Microsoft did not determine the email as suspicious and delivered it to end user mailboxes.
A summary of the attack is presented below:
Fig: Summary of the Microsoft Office phishing scam showing the attack flow
A few days ago, the Armorblox threat research team observed an invoice-themed email attack attempt to hit one of our customer environments. This email was titled ‘TRANSFER OF PAYMENT NOTICE FOR INVOICE’ and informed victims about an EFT payment. The email includes a link to view the invoice.
A snapshot of the email is given below:
Fig: Email with an EFT payment update that links to an invoice download
The Attack Flow
Clicking the email link goes through a redirect and lands on a page with the parent domain ‘mystuff[.]bublup[.]com’. The redirect has the parent domain ‘nam02[.]safelinks[.]protection[.]outlook[.]com’, showing that the link was rewritten by native Microsoft security controls even though it was a malicious link.
Apart from being emblazoned with ‘Payment Notification - PDF’, the landing page is sparse. The page has a button on the top right to download the invoice that was referenced in the email (or so the attackers want you to think).
Fig: Landing page with a link to download the invoice
The downloaded ‘invoice’ might have PDF in its file name, but it’s actually an HTML file. Opening an HTML file loads an iframe with Office 365 branding. The page displays a thumbnail along with a link to view the invoice. Hovering over this link shows that the link is hosted on Google Firebase. Reputed URLs like that of Firebase will fool people (and email security technologies) into thinking that clicking the link will retrieve the invoice whose thumbnail is displayed.
Fig: Page spoofing Office 365 with a link to the ‘invoice’ that’s hosted on Google Firebase
Clicking the thumbnail or ‘VIEW FILE’ link leads to the final phishing page that asks victims to log in with their Microsoft credentials. This page phishes for the email address and password linked to victims’ Microsoft accounts, as well as any alternate email addresses or phone numbers. This is an attempt by attackers to cover their bases in case victims have 2FA or recovery mechanisms set up on their Microsoft accounts.
Fig: The final phishing page attempts to extract Microsoft credentials, alternate email IDs, and phone numbers
Entering fake details on this page reloads the login portal with an error message asking the user to enter correct details. This might point to some backend validation mechanism in place that checks the veracity of entered details. Alternately, attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.
Fig: Entering fake details shows an error message asking users to enter correct details
Summary of techniques used
This email attack employed a gamut of techniques to get past traditional email security filters and pass eye tests of unsuspecting end users.
- Passes authentication using SendGrid: The email was sent from a personal Gmail account via SendGrid. This resulted in the email successfully passing authentication checks such as SPF, DKIM, and DMARC.
- Social engineering: The email title and content refer to financial payments, including a link to view an invoice. The average person tends to take quick action on financial matters, even if a closer look might reveal inconsistencies in the email.
- Brand impersonation: The final phishing page spoofs an Office 365 portal and is replete with Microsoft branding. Requiring Microsoft account credentials to view an invoice document also passes the ‘logic test’ in most victims’ minds, since they get documents, sheets, and presentations from colleagues every day that encompass the same workflow.
- Hosted on Google Firebase: The final invoice is hosted on Google Firebase; the inherent legitimacy of this domain enables the email to get past security filters built to block known bad links and files. Check out our recent threat research on a range of email attacks that leverage Google services to learn more.
- Link redirects: The attack flow is long and obfuscates the true final phishing page, which is another common technique to fool security technologies that attempt to follow links to their destinations and check for fake login pages.
Guidance and Recommendations
Here are some points of guidance for individuals or organizations looking to protect themselves against targeted email attacks:
1. Augment native email security with additional controls
This email got past Microsoft’s Exchange Online Protection (EOP), with an assigned Spam Confidence Level (SCL) of 1, which means either the email skipped past spam filters or EOP determined that it wasn’t spam. For better protection coverage against email attacks (whether they’re phishing, business email compromise, or 0-day credential phishing attacks like this one), organizations should invest in technologies that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.
Fig: Email metadata showing Microsoft’s SCL score of 1
2. Watch out for social engineering cues
Whenever possible, engage with emails related to money and data in a rational and methodical manner. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. why does this PDF file have an HTML extension?).
3. Follow 2FA and password management best practices
Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances, and family members.
If you haven’t already, implement these hygiene best practices:
- Deploy two-factor authentication (2FA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use a password management software to store your account passwords.
- Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.).
- Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc.