In today’s Blox Tale, we will look at a phishing attack that spoofs a voice message notification from WhatsApp, an international, mobile messenger application. Clicking the link attempts to install Infostealer malware onto the machine.
The Armorblox research team was able to observe this attack on multiple customer tenants across Office 365 and Google Workspace. The potential total attack exposure was close to 28K mailboxes.
Mailboxes: ~27, 660
Target: This email attack targeted multiple organizations across healthcare, education, and retail.
Email security bypassed: Office 365, Google Workspace
Techniques used: vishing, drive-by download, social engineering, brand impersonation
The socially engineered email was titled ‘New Incoming Voicemessage” and included a header in the email body reiterating the email title. The email body spoofed a secure message from WhatsApp and suggested that the victim had received a new private voicemail.
The email invited the victim to click on the ‘Play’ button to view the secure message. A snapshot of the email is given below:
The domain of the email sender was ‘mailman.cbddmo.ru’. Research from our team suggests the email domain is associated with the ‘center for road safety of the moscow region’ page (see figure 2 below). According to the website this organization was established to provide assistance to the State Road Safety operations for Moscow and it belongs to the Ministry of Internal Affairs of the Russian Federation.
It’s possible that attackers exploited a deprecated or old version of this organization’s parent domain to send the malicious emails. The email passed all authentication checks (SPF, DMARC).
The Phishing Page
Once the target landed on the malicious webpage, he or she was prompted to confirm they “are not a robot”. If the target clicked “allow” on the popup notification in the URL a malicious payload could potentially be installed as a Windows application through a browser Ad service, in order to bypass User Account Control. Once the malware was installed (Infostealer) it can steal sensitive information like credentials that are stored within the browser.
The email was sent from a valid domain and bypassed Microsoft and Google email security.
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
Social engineering: The email title, design, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the email claimed to come from a legitimate communication application (WhatsApp), and a sense of urgency because it claimed the victim has a voice message to listen to - something they would be eager to review. The context of this attack also leverages the curiosity effect, which is a cognitive bias that refers to our innate desire to resolve uncertainty and know more about something.
Brand impersonation: The email has HTML stylings and content disclaimers similar to WhatsApp. Although WhatsApp does not send notification emails, the color and branding elements are close enough to compromise an end user.
Exploiting a legitimate domain: The parent domain of the email sender is a legitimate domain - ‘mailman.cbddmo.ru’. This helped the email bypass authentication checks. At the time of writing Armorblox researchers are not able to confirm how the attacker(s) was able to send emails from this domain.
Replicating existing workflows: The context for the email attack replicates workflows that already exist in our daily work lives (getting email notifications of a voicemail). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action. The email content even had every victim’s first name filled in to increase the feeling of legitimacy and the chances of follow through.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog got past the security controls of Office 365, Google Workspace, Exchange, Cisco ESA, and others. For better protection coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is a WhatsApp link leading to an HTML download? Why is the sender email domain from a third-party organization?).
3. Follow multi-factor authentication and password management best practices
If you haven’t already, implement these hygiene best practices to minimize the impact of your credentials being leaked:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use a password management software like LastPass or 1password to store your account passwords.
For more email security threat research, news, and industry guidance, sign up for email updates from Armorblox below.