Share this page!

Microsoft Security Intelligence Profile picture
Twitter logo
16 Nov, 9 tweets, 2 min read
We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering. The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc.
One of the interesting techniques we observed in this campaign is the use of redirector sites with a unique subdomain for each target. The subdomain follows different formats but generally always contains the recipient’s username and org domain name.
This unique subdomain is added to a set of base domains, typically compromised sites. Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient.
The use of custom subdomains helps increase the believability of the lure. In addition, the campaign uses patterns in sender display names consistent with the social engineering lure: "Password Update", "Exchange proteccion", "Helpdesk-#", "SharePoint", "Projects_communications".
The unique subdomains also mean huge volumes of phishing URLs in this campaign, an attempt at evading detection. As another layer of defense evasion, these redirector URLs can detect connections from sandbox environments.
If the redirector detects that it’s being accessed from a sandbox environment or if the URL has expired, it redirects to legitimate sites, such that it can evade automated analysis, and only actual users reach the phishing site.
These techniques, in addition to the fact the email message uses heavy obfuscation in its HTML code, make for a sophisticated phishing campaign, exemplifying the increasingly complex email threats that enterprises face today.
Microsoft 365 Defender detects phishing and other email threats and correlates threat data across email and data, endpoints, identities, and apps. Microsoft Defender for Office 365 uses behavior-based detections and machine learning to detect sophisticated email threats.
Defenders can use advanced hunting and other tools in Microsoft 365 Defender to locate emails that exhibit the unique techniques used by this phishing campaign, perform additional investigation, and resolve attacks.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Microsoft Security Intelligence

Microsoft Security Intelligence Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MsftSecIntel

Microsoft Security Intelligence Profile picture
22 Sep
Emotet joined the password-protected attachment bandwagon with a campaign starting Friday. The campaign slowed down over the weekend (typical of Emotet) but was back today in even larger volumes of emails in English, as well as in some European languages.
The Emotet emails carry a password-protected archive file that contains a document with malicious macro, which then downloads the Emotet payload. In contrast, last week’s Trickbot campaign used password-protected documents attached directly to emails.
If the recipient enters the password, which is in the email body, the document tricks users into enabling the malicious macro by claiming the that the file was created on “Windows 10 Mobile” (Friday’s campaign) or “Android device” (today’s campaign).
Read 4 tweets
Microsoft Security Intelligence Profile picture
18 Sep
Earlier this week we started seeing a spike in the use of password-protected documents in multiple malware campaigns, including Trickbot. These documents are attached to emails that use varying social engineering lures like the typical "order", "invoice", "documents". Image
We also saw the increasingly less common but still used “new corona case” lure. Some of the emails also indicate more specific targeting, with attackers using the domain of compromised sender accounts as part of the email body for improved believability. ImageImage
When opened, the malicious documents prompt for the password, which is in the email body. If the recipient enters the password, the document opens with instructions to enable editing and enable content, so that a malicious macro can run and download the payload. ImageImage
Read 5 tweets
Microsoft Security Intelligence Profile picture
3 Sep
Our comprehensive, active tracking of Dudear operations, attributed to the threat actor CHIMBORAZO (aka TA505), shows that these campaigns relentlessly use multiple layers of detection evasion techniques to try and slip through defenses.
These techniques include the routine use of varying social engineering lures (recent ones include Expense report, fake Citrix ShareFile email, and fake Dropbox notification) and download websites that block traffic from automated analysis, in addition to the CAPTCHA challenge. ImageImageImage
The email campaigns also switch between using HTML attachments that lead to a series of redirector websites before eventually leading to the download website, and using malicious URLs that download the malicious HTML, or both.
Read 5 tweets
Microsoft Security Intelligence Profile picture
26 Aug
A new info-stealing malware we first saw being sold in the cybercriminal underground in June is now actively distributed in the wild. The malware is called Anubis and uses code forked from Loki malware to steal system info, credentials, credit card details, cryptocurrency wallets ImageImageImage
The new malware shares a name with an unrelated family of Android banking malware. Anubis is deployed in what appears to be limited, initial campaigns that have so far only used a handful of known download URLs and C2 servers.
Microsoft Defender ATP detects the new malware as PWS:MSIL/Anubis.G!MTB. We will continue to monitor this threat for the possible expansion of these campaigns.
Read 4 tweets
Microsoft Security Intelligence Profile picture
13 Aug
Dudear campaigns, associated with the threat actor CHIMBORAZO (aka TA505), are a staple in the threat landscape, with regular runs since resurfacing in January. This month’s campaign, active as of today, uses the same techniques including polymorphism & detection evasion tactics. Image
Dudear emails carry polymorphic HTML redirectors that lead to an intermediate redirector website (often compromised), which then redirects to the download site. This month’s email lures include pension certificates, shipping docs, privacy documents, invoice, remittances, etc. ImageImage
The download website uses a CAPTCHA challenge as well as GeoIP check to evade automated analysis. Past these checks, an Excel file with highly obfuscated macro code is downloaded and in turn drops the payload, typically info-stealing malware GraceWire or Dridex. ImageImageImage
Read 4 tweets
Microsoft Security Intelligence Profile picture
2 Jul
This week, Avaddon ransomware became the latest malware to use malicious Excel 4.0 macros in campaigns. Emails carrying the malicious Excel attachments were sent to specific targets, primarily in Italy. When run, the malicious macro downloads the Avaddon ransomware. Image
Avaddon ransomware emerged in early June. This week’s campaign continues a recent trend of delivering ransomware as the immediate payload in email campaigns. Image
While an old technique, malicious Excel 4.0 macros started gaining popularity in malware campaigns in recent months. The technique has been adopted by numerous campaigns, including ones that used COVID-19 themed lures.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get email notifications when new thread is out from this Author!

Check out other threads from this Author!

Read all threads by @MsftSecIntel