A team at security firm Armorblox says the attacks are targeting Microsoft emails through phishing expeditions coming from legitimate domains. Among them is Google Firebase. This means the emails with the malicious payload can bypass Microsoft’s security filters. “The email titles, sender names and content did enough to mask their true intention and make victims think the emails were really from FedEx and DHL Express respectively,” researchers say. “Emails informing us of FedEx scanned documents or missed DHL deliveries are not out of the ordinary; most users will tend to take quick action on these emails instead of studying them in detail for any inconsistencies.” One of the attacks is designed to accurately copy an email from FedEx, one of the biggest multinational delivery services. Emails arrived with the title “You have a new FedEx sent to you”. Needless to say, this would already be enough for most users to open the email. However, to trick victims into access the malicious content, the email went further by hosting information that added to its apparent legitimacy.
Attack
For example, there was an ID code, how many pages were in the “delivered” document, and a link to preview the document. Clicking the link takes the user to file hosting service Quip, again, so far so legitimate. If you’re unfamiliar with Quip, it is used by Salesforce for hosting spreadsheets, documents, chats, and slides. Phishing attacks using legitimate hosting sites is a growing trend and makes it harder for services to spot malicious files: “Most of these services have free versions and are easy to use, which make them beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals to launch successful phishing attacks.” Once the victim clicked the document preview page on Quip, they would be taken to the phishing page. Even this looked realistic enough to fool some people as it had looked like the Microsoft login portal. Here victims would place their Microsoft Account credentials believing they were accessing the document. This phishing page was hosted on Google Firebase. Users were asked to verify their detail to begin the attack: “This might point to some backend validation mechanism in place that checks the veracity of entered details,” said researchers. “Alternately, attackers might be looking to harvest as many email addresses and passwords as possible and the error message will keep appearing regardless of the details entered.” Tip of the day: With many reachable wireless access points popping up and disappearing again, the available networks list can become quite annoying. If needed you can use the allowed and blocked filter list of Windows 10 to block certain WiFi networks or all unknown WiFi networks.