It’s Not Safe: “Security Update” Goes Phishing via PDF
Figure 1: Email Body
The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest Office365 (O365) credentials, masquerading as an Outlook Security update email from the IT Security department to entice employees to open a “New Policy” PDF.
Cofense continues to see PDFs leveraged to deliver links directing users to sites to enter credentials or download malware. This tactic often allows threat actors to slip corrupted content past traditional email security and into users’ inboxes.
The subject of the email immediately lends credence by including the company name: “[CompanyName] Service Changes.” In addition, the threat actor has spoofed the sender name to appear as “[CompanyName] Outlook.” With the personalization of the subject and sender information, users are more likely to open the PDF.
Figure 2: New-Policy.pdf
In the first line of the email there is verification that the message is meant for this user “To [user’s email address]”. Threat actors use this tactic to instill a sense of significance to the email. The body of the email directs the recipient to review the PDF in order to “apply a new Office 365 Security.”
Hovering over the “Apply Update” button, we see that this is steering the recipient to a Google Ad Services link that redirects to hxxps://ekavolunteers[.]org/.
In Figure 2, we see the well-crafted document containing both the Microsoft and the recipient’s company logo. The document is detailed, listing a release date, release code and other specifics intended to make the document appear legitimate
As seen in figure 3, the final redirect goes to the URL:
The first part of the URL, googleadservices[.]com, is a reputable service that most organizations would not block. However, this is a common tactic many threat actors use to evade email filters and other security. They use legitimate links to mask redirects to malicious sites. By clicking on “Accept”, “More details about this?”, or ” Privacy Statement”, users are routed to hxxp://ekavolunteers[.]org. From there, another redirect sends users to the final phishing page that harvests credentials.
On this page, users are presented with a Microsoft page with a pop up containing the “Updated Privacy Policy”.
hxxp://microsoftofficeonlineservices.com[.]0-auth[.]live
This page does appear to have Microsoft’s privacy policy listed along with the user’s company logo affixed at the bottom as a personalization lure.
Figure 3: Phishing Page
Clicking the “Accept” button sends users to the final stage of this attack, as seen in Figures 4 and 5.
Next, as shown in Figure 6, we see the login page where the user’s email address is auto-populated. Only the password remains to be provided.
Figure 4-5: Phishing Page
Figure 6: Final Redirect
After the users “log in,” they are presented with a statement advising “We’ve updated our terms” to impart a sense of logical sequence to the user’s actions. Once the “Finish” button is clicked, the user is redirected to the legitimate Microsoft Service Agreement page. This redirect is a common tactic intended to keep users in the dark, unaware that their credentials are now in the hands of cyber criminals.
Cofense is uniquely positioned to stop phish. With Cofense Phishing Detection and Response, enterprises benefit from our complete view of real phishing threats. We can help you achieve zero breaches as a resulting of phishing emails. Contact us to find out how.
Campaigns like this can be headed off by conditioning users to spot threats and tactics designed to penetrate environments protected by secure email gateways (SEGs). This campaign illustrates how automated systems may fail without an additional layer of protection in the form of human sensors spotting and reporting suspicious emails that turn up in their inbox.
| Indicators of Compromise | IP |
| hXXps://www[.]googleadservices[.]com/pagead/aclk?sa=L&ai=CZCUrwkdiXpuiJYCLmLAPouaG8A3Cwr-DXIfCkamHC7jaqcaoGBABIOaX1iVghIWAgNgdoAGEgOejA8gBCakCeFDgg656kT6oAwHIA8MEqgSbAk_QojPw-DaxX9skc2uNHUM5cIk-P8xTMe60h0f3nF1fQSxbiTIecJrlWTgXnp45S8NvTXncuqDQHdp5qRFRQflcgJx7ZIXQZMZeSK7p3AO69bSV5qtGPNerAJHZZKMP71l78KB1Eg0SAfnftDSxUqQ9lwb_a4EUOykK9nbFDqswqTxE-S6AcqATWfvzjYd_5g2VydvIgw5CDpok1CROXdqxd_0wNmtaNdN5QhQGAGUsScZ8BgXQMBf62o81xBt_ITEUHxrBp5eLFRMC2BUJQ48Qh_B3eg9oCngoSnm9AvlbERNsUT5Wq8rI8tQs1cNzeKTGGiyarfmdYZMWy5S6H-vEe59kvyP96os9y9HLIGkX7myuV_DOzwUp7DjABJjT0ebfAqAGLoAH5P-YXKgHjs4bqAfVyRuoB5PYG6gHn9sbqAe6BqgH8tkbqAemvhuoB-zVG6gH89EbqAfs1RuoB8LaG9gHANIIBwiAYRABGADyCA1iaWRkZXItNTQ1NzU2sQkc-aFWmboITIAKBJgLAcgLAQ&ae=1&num=1&pr=10:0.865137&cid=CAASEuRoBo-RPe6zJ1BGgrMR1MGsgQ&sig=AOD64_3WRWwBdf88-GXuezW4Nbs_nTshPQ&client=ca-pub-3076890012741467&nb=19&adurl=https://ekavolunteers.org/@ | 172[.]217[.]13[.]226
172[.]67[.]134[.]22
|
| hXXps://microsoftofficeonlineservices[.]com[.]0-auth[.]live/common/oauth2-authorize/
|
|
| hXXps://ekavolunteers[.]org/@ | 104[.]21[.]5[.]251
|
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
This post was first first published on Cofense’s website by Cofense. You can view it by clicking here