Researchers at Cofense Phishing Defense Center found that attackers conducted a successful phishing campaign against enterprise users by overlaying legitimate web pages with fake login pop-ups. The phishing campaign exploited Microsoft Outlook enterprise email quarantine policies to lure victims into disclosing their login details. The threat actors purported to be the technical support team of the target company by using “Support” as the sender’s title and “Action Required” as the subject line. The hackers claim that the company’s email security service had blocked valid inbound email messages from reaching the inbox and that the users should recover the messages before the server permanently deleted them.
Bait email used in the quarantine phishing campaign
The phishing email claims that the server “failed to process new messages in the inbox folder,” and that “valid email messages have been held and quarantined for deletion.” The attacker requested the user to review the messages and recover them before they were automatically deleted within three days.
The attacker provided a “Review Messages Now” button for the user to complete the action. However, the researchers noted that the link was a huge red flag because it pointed to a very long and suspicious URL. The address also contained the parameters for loading specific pages depending on the company targeted in the phishing campaign.
Attackers earned user trust by using familiar web pages
By clicking the link, employees were redirected to a legitimate company website with an Outlook email login screen. This trick gives the employee a greater comfort level by displaying a familiar page. The attackers, however, overlay the company’s web page with a fake login panel, which prompted the user to log in with their company account because their session had timed out.
The threat actor also conveniently populated the fake login panel with the user’s email address to gain more trust. Additionally, the victim could also click outside the overlay and interact with the legitimate page.
By entering the login credentials, the fake login panel sent them to a server used in the phishing campaign. The use of legitimate web pages in the phishing campaign threw many users off guard, causing them to disclose their enterprise login credentials.
The researchers noted that the fear of missed communication and loss of documents made the phishing campaign successful on enterprise users.
Commenting on the overlay phishing campaign, James McQuiggan, A Security Awareness Advocate, KnowBe4, says:
“Cybercriminals carefully craft their phishing emails to entice the victim. Based on fear, curiosity, or a sense of urgency, they want the victim to make a reflexive action and bypass any in-depth thinking about the email. With security awareness training, people receive training and learn to check the URLs and to hover over a link to verify if the site is valid.”