We detected a recent spike in busines email compromise (BEC) attacks soliciting gift cards primarily targeting K-12 schoolteachers. Attackers impersonate colleagues or school officials to ask recipients to purchase various gift cards.
The fraudulent emails are sent from attacker-created accounts on free email service providers, such as Gmail, Mail[.]ru, Yahoo, Hotmail, Outlook, and iCloud. As in many BEC campaigns, attackers identify targets through their publicly available info on websites and social media.
Attackers use various scenarios and lures to feign legitimacy and urgency. Based on intelligence, these attackers have also used COVID-19 lures for similar gift card BEC campaigns.
To protect customers from these threats, Microsoft Defender for Office 365 uses built-in capabilities to automatically detect domain spoofing and user and domain impersonation. These capabilities are backed by security experts who monitor and analyze these evasive threats.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
As Solorigate continues to be the top security topic, it’s business as usual for some cybercrime operations. After being seen in short-lived campaigns before Christmas, Emotet is back this week in a new campaign that uses various lures, including, oddly, "Christmas Party".
Emotet is known for its penchant for using holiday-themed emails, but this week’s campaign also uses what’s proven effective for the operators: a wide range of lures in massive volumes of emails, the use of fake replies or forwarded emails, password-protected archive attachments.
The new Emotet campaign still uses documents that contain malicious macro that, when enabled, connects to seven malicious domains to download the Emotet payload.
In the past weeks, researchers have noted the increased abuse of legitimate cloud hosting services in malware campaigns. Microsoft threat intelligence shows this trend persists, w/ a number of known malware incl. BazarLoader, Zloader, Lightbot, Hancitor, etc. using the technique.
The email campaigns use a wide range of lures, incl. ones that use threats of job dismissal, exposing illegal activity, other fear tactics. The link leads to a malicious document or archive file hosted on a legitimate service. Downloading & opening the file leads to the payload.
A recent campaign uses password-protected .zip files hosted on Google Drive, with the password (curiously incorrect in this sample) in the email. While other services, incl. those from Microsoft, have been abused, the recent spike in the use of Google services is notable.
We’re tracking an active credential phishing attack targeting enterprises that uses multiple sophisticated methods for defense evasion and social engineering. The campaign uses timely lures relevant to remote work, like password updates, conferencing info, helpdesk tickets, etc.
One of the interesting techniques we observed in this campaign is the use of redirector sites with a unique subdomain for each target. The subdomain follows different formats but generally always contains the recipient’s username and org domain name.
This unique subdomain is added to a set of base domains, typically compromised sites. Notably, the phishing URLs have an extra dot after the TLD, followed by the Base64-encoded email address of the recipient.
Emotet joined the password-protected attachment bandwagon with a campaign starting Friday. The campaign slowed down over the weekend (typical of Emotet) but was back today in even larger volumes of emails in English, as well as in some European languages.
The Emotet emails carry a password-protected archive file that contains a document with malicious macro, which then downloads the Emotet payload. In contrast, last week’s Trickbot campaign used password-protected documents attached directly to emails.
If the recipient enters the password, which is in the email body, the document tricks users into enabling the malicious macro by claiming the that the file was created on “Windows 10 Mobile” (Friday’s campaign) or “Android device” (today’s campaign).
Earlier this week we started seeing a spike in the use of password-protected documents in multiple malware campaigns, including Trickbot. These documents are attached to emails that use varying social engineering lures like the typical "order", "invoice", "documents".
We also saw the increasingly less common but still used “new corona case” lure. Some of the emails also indicate more specific targeting, with attackers using the domain of compromised sender accounts as part of the email body for improved believability.
When opened, the malicious documents prompt for the password, which is in the email body. If the recipient enters the password, the document opens with instructions to enable editing and enable content, so that a malicious macro can run and download the payload.
Our comprehensive, active tracking of Dudear operations, attributed to the threat actor CHIMBORAZO (aka TA505), shows that these campaigns relentlessly use multiple layers of detection evasion techniques to try and slip through defenses.
These techniques include the routine use of varying social engineering lures (recent ones include Expense report, fake Citrix ShareFile email, and fake Dropbox notification) and download websites that block traffic from automated analysis, in addition to the CAPTCHA challenge.
The email campaigns also switch between using HTML attachments that lead to a series of redirector websites before eventually leading to the download website, and using malicious URLs that download the malicious HTML, or both.