Phishing Campaign Weaves Around Microsoft Automated Email Filtering

Researchers with cyber security firm Armorblox discovered a new cunning phishing campaign that was impersonating infosec firm Proofpoint and spoofing Microsoft and Google pages.

The campaign is using several clever social engineering tricks to encourage victims to click. According to reports, the brunt of the attack was focused on a large communications company with a global presence.

The body of the text claims that the link inside contains a very secure file sent through Proofpoint. The emails were using topics revolving around mortgages and included "Re:" in their subject lines, creating the illusion of a previously existing, ongoing conversation, which further helps lure victims into clicking the malicious links inside the email.

Once the victim clicks the link contained in the phishing mail, they are redirected to a hacker-controller page that mimics the branding and design of Proofpoint. On the fake Proofpoint page are login links that allow the user to enter either their Google or Office 365 login credentials, in the hopes that they will get to the file allegedly contained in the mail.

The spoofed login pages, accepting Google and Microsoft's Office 365 credentials respectively, gathered users' emails and passwords and funneled them to the campaign operators.

Another curious detail about this campaign is that the emails managed to dodge Microsoft's email security filtering. This was possible due to the fact that the emails were originating from an address belonging to a real fire department office located in France, which had already been compromised by the bad actors running the campaign.

This incident serves to once again raise awareness of the dangers of clever social engineering and how easy it is to fall into a serious trap that can have major consequences and repercussions for the company or entity, stemming from a single mistake of a single employee.

November 8, 2021