Yesterday, the Microsoft Threat Intelligence Center (MSTIC) released information on uncovering a long-running and widespread malicious email campaign run by the threat group they track as NOBELIUM. Microsoft says this threat group was also behind the SolarWinds attack that shook the cybersecurity world a few months ago, as well as others like the SUNBURST backdoor, TEARDROP malware, and GoldMax malware.
Attackers in Constant Contact
Microsoft had been tracking NOBELIUM and its activities since January 2021. On May 25, 2021, they observed an escalation where NOBELIUM exploited Constant Contact - a legitimate online marketing company - to launch a spear phishing campaign targeting 7,000 accounts across more than 350 organizations.
The emails appeared to originate from USAID (ashainfo@usaid[.]gov), which is an independent agency of the United States federal government that is responsible for administering civilian foreign aid and developmental assistance. USAID uses Constant Contact as their email provider, and the sender email address was an authentic one that matched the Constant Contact service.
The email spoofed an alert from USAID, a screenshot of which is presented below:
Fig: Email impersonating USAID started the spear phishing campaign (Source for the image is Microsoft)
Clicking the link in the email first redirected victims to infrastructure hosted by Constant Contact, and then further redirected to NOBELIUM-controlled infrastructure. A malicious ISO file is then delivered to the victims’ systems, which enables NOBELIUM to achieve persistent access to these systems and affect follow-on compromise through lateral movement.
Microsoft says this is an active incident with many moving parts that will continue to evolve. From what is known so far, we are listing out tradecraft employed in this attack and sharing similar techniques observed by the Armorblox threat research team in other phishing campaigns.
1. Google Firebase for recon
In February, MSTIC spotted an early wave of phishing emails that exploited the Google Firebase platform to stage an ISO file and track targets who clicked - almost as a dress rehearsal for the recent attack. Armorblox has observed Google Firebase being exploited in multiple phishing campaigns that you can read here and here.
2. Different from and reply-to addresses
The ‘from’ address in the emails was different from the ‘reply-to’ address (mhillary@usaid[.]gov), which is a common adversarial technique employed in email attacks. We observed this technique most recently in a Chase impersonation attack here.
3. Exploiting legitimate infrastructure
The attack leveraged the email infrastructure of Constant Contact, which is an online marketing company. We have repeatedly observed threat actors hijacking legitimate (and often free) online services and using them within phishing flows. Other online solutions that have been exploited include Typeform in tax scams, Quip in attacks impersonating shipping companies, and Google Sites to host fake login pages.
This technique is noteworthy because traditional email security technologies often use domain, URL, and DNS reputation as a proxy for trusted communications. But if attackers use reputed services to do disreputable things, traditional email security cannot detect it. The car is trusted, but there’s a malicious driver at the wheel here.
4. Social engineering
The email content and context attempted to push all the right buttons and socially engineer the required response (clicking the link) from victims. Spoofing USAID induced a sense of trust in victims because the email claimed to come from a US federal agency. The email content - Donald Trump publishing new documents on election fraud - was prime clickbait and induced a sense of urgency in victims to click on the link, whatever side of the political divide they lay on.
The Armorblox threat research team has observed the human layer being targeted by email attacks in manifold ways - by attackers pretending to be trusted entities, using free online services, and replicating commonly occurring email workflows to lull victims into a false sense of security.
There will surely be more updates on this spear phishing campaign in the days and weeks to come. We would advise bookmarking this blog from Microsoft detailing the attack and this joint advisory from CISA and FBI that is likely to be updated with technical details and Indicators of Compromise involved in the attack.
For more email security news, threat research, and industry trends, join the Armorblox mailing list. If you’re reevaluating your email security stack and are interested in augmenting your built-in email security, schedule a demo with Armorblox to learn how we stop BEC and targeted phishing attacks using Natural Language Understanding.