In today’s Blox Tale, we will look at a credential phishing attack that impersonated Proofpoint and attempted to steal victims’ Microsoft and Google email credentials. The email claimed to contain a secure file sent via Proofpoint as a link.
Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.
Total org mailboxes: ~1,000
Target: A global communications company
Email security bypassed: Microsoft email security
Techniques used: Social engineering, brand impersonation, replicating existing workflows, account takeover
Fig: Proofpoint credential phishing attack to steal O365/Google email credentials
The email was titled “RE: Payoff Request” and claimed to contain a mortgage-related file sent via Proofpoint along with an email footer exhorting the importance of confidentiality. Adding “RE” to the email title is a tactic we have observed scammers using before - this signifies an ongoing conversation and might make victims click the email faster.
A snapshot of the email is given below:
Fig: Email spoofing a file-sharing notification from Proofpoint
The email was sent from an individual’s compromised email account. The parent domain of the sender email was “sdis34[.]fr”, which is a department of fire rescue in Southern France. Sending phishing emails from legitimate (but compromised) email accounts makes it easier to slip past binary detection controls like filters or blocklists.
Fig: The sender email belonged to a French department of fire rescue
The Phishing Page
Clicking the email link led victims to a splash page with Proofpoint branding. The page included login links for specific email providers that the victims could choose from. Exploiting the brand of a well-respected security company like Proofpoint might be a deliberate choice, with victims getting lulled into a false sense of security.
Fig: Clicking the email link leads to a spoofed Proofpoint login page
Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively. Both flows asked for the victim’s email address and password.
Fig: Fake Office 365 and Google login pages
These pages were hosted on the “greenleafproperties[.]co[.]uk” parent domain. The domain’s WhoIs record shows it was last updated in April 2021. The URL currently redirects to “cvgproperties[.]co[.]uk”. The barebones website with questionable marketing increase the possibility that this is a dummy site.
Fig: The phishing pages were hosted on the parent domain of a property company
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
- Social engineering: The email title and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the email claimed to contain a file sent by Proofpoint, and a sense of urgency because it contained information on mortgage or other home-related activities.
- Brand impersonation: The email and landing page both spoof Proofpoint. The login pages for Google Workspace and Office 365 are also replete with the branding of the respective email providers.
- Replicating existing workflows: The context for the email attack replicates workflows that already exist in our daily lives (email notifications when files are shared online). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
- Using compromised email address: The email was sent from an individual’s compromised email account belonging to a French fire rescue department.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog got past Microsoft email security. For better protection coverage against email attacks (whether they’re vishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 and should be a good starting point for your evaluation.
This email had a Spam Confidence Level (SCL) score of 1, which means Microsoft determined the email was not spam.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is the email coming from a .fr domain? Why is a mortgage-related notification coming to my work email?).
3. Follow MFA and password management best practices
If you haven’t already, implement these hygiene best practices to minimize the impact of your credentials being leaked:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use a password management software like LastPass or 1password to store your account passwords.
- Avoid using passwords that tie into your publicly available information (date of birth, anniversary date, etc.).
- Don’t use generic passwords such as ‘password123’, ‘YourName123’, etc.