This blog focuses on a credential phishing attack that spoofs a message from the MIT help desk team and tries to steal Microsoft login details.
In today’s Blox Tale, we will look at a credential phishing attack that impersonated a notification from the MIT help desk and attempted to steal victims’ Microsoft email credentials. The email notified a targeted victim that their MIT account password had expired and included a link to reset their password. The phishing page spoofs Outlook branding and tries to extract victims’ login details.
Total org mailboxes: ~10,000 (potential attack exposure if the initial attack had been successful)
Target: A professor at a higher education institution
Email security bypassed: Microsoft email security
Techniques used: Social engineering, sender and brand impersonation, replicating existing workflows, potential account takeover
The email was titled “eNotification for Name” where “Name” was the victim’s email account username (the first letter of their first name followed by their last name, a standard format used for email IDs). The email claimed to come from the MIT helpdesk team, had “Massachusetts Institute of Technology” as the sender name, and “helpdesk@mit[.]edu” as the sender ID.
The target victim was a professor at a higher education institution (not MIT). It’s possible the victim teaches at multiple universities and has an MIT email account as well - if they do, they would be eager to reset the account’s password.
A snapshot of the email is given below:
Based on signals and our analysis, the email looks to be from the mit[.]edu domain. It’s possible that scammers used an MIT account as a vehicle for the phishing attack. The email passed all authentication checks (SPF, DKIM, DMARC).
The email claims that the victim’s MIT account password has expired and invites them to click a link to reset the password or risk the account getting suspended.
The Phishing Page
Clicking the email link led victims to a page spoofing Outlook branding that asked for their login details. The parent domain of the phishing page was “gettheideas[.]com”. The domain’s WhoIs record shows that it was created in November of last year and expires soon.
Visiting the page now leads to an in-browser malice warning and the site seems to have been taken down.
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
- Social engineering: The email title and content aimed to induce a sense of trust and urgency in the victim - a sense of trust because the email claimed to come from the MIT help desk, and a sense of urgency because the email claimed the victim’s Outlook password had expired.
- Sender and brand impersonation: The email sender and context spoofed the MIT help desk team. Clicking the link led to a phishing page spoofing an Outlook login portal.
- Replicating existing workflows: The context for the email attack replicates workflows that already exist in a professor’s life (password reset notification from your university help desk). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
- Potential account compromise: Based on signals and our analysis, it’s possible that scammers used an MIT account as a vehicle for the phishing attack. The email passed all authentication checks (SPF, DKIM, DMARC).
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog got past Microsoft email security. For better protection coverage against email attacks (whether they’re vishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 and should be a good starting point for your evaluation.
This email had a Spam Confidence Level (SCL) score of -1, which means the message skipped Microsoft spam filtering.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is the email coming from a .fr domain? Why is a mortgage-related notification coming to my work email?).
3. Follow MFA and password management best practices
If you haven’t already, implement these hygiene best practices to minimize the impact of your credentials being leaked:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use a password management software like LastPass or 1password to store your account passwords.
- Avoid using passwords that tie into your publicly available information (date of birth, anniversary date, etc.).
- Don’t use generic passwords such as ‘password123’, ‘YourName123’, etc.