PhishLabs' Email Incident Response analysts recently identified a phishing campaign leveraging novel tactics in the ongoing war between threat actors and security teams. In addition to presenting a unique twist on a popular lure theme, the campaign leverages a clever combination of tactics by attackers attempting to defeat email security technologies to great effectiveness.
PhishLabs observed this campaign defeating a variety of the most prominent email security gateways on the market today.
Lure Theme and Social Engineering Tactics
At base, this campaign's lure claims that the victim has a new voicemail via the Office 365 system. While this theme is extremely popular with attackers as of late, this particular campaign offers a novel twist on the formula. Rather than simply claiming there is a voicemail available for download, this lure imitates Microsoft's new Voicemail to Text feature by displaying a transcript of the supposed voicemail.
As you can see in the screenshot above, only the first sentence is visible in the email, while the remainder is blurred out. The sentence that is visible is extremely ominous by leading in with “this is bad." As a result, the lure creates a powerful combination of both fear and curiosity triggers that compels the victim to open the attachment for the remainder of the message.
Image-Based Email Body
The primary tactic at play here is that the entire body of the email is in actuality an image inserted into the email body in-line. By doing this, the attacker prevents email gateways and spam filters from being able to scan the body for suspicious strings or natural language processing. Additionally, to prevent raising suspicion by sending a supposedly empty email, the attacker leverages the MIME multipart/alternative subtype to present a benign series of words to any program that cannot render the image. See below for a screenshot of a portion of the email's source showing this technique.
The above screenshot illustrates what email clients render. Below the red line is where the image is pulled, and above the red line shows the Latin fill that email clients that don't load images will see.
Attachment-Based Payload
The attacker also keeps the phishing URL out of the email body by including it in an attachment. The attachment itself is a simple html file which uses a meta-refresh technique to redirect the victim to the phishing page when the document is opened. This combination of techniques will cause this email to breeze past any URL scanning technology which does not effectively handle the scanning of attached files.
By including the payload as an attachment, it also serves as an obfuscation method to prevent URL hovering, as well as defeats email filtering technology that only scans the email body and not attachments.
Campaign Automation and Personalization
One interesting characteristic of the campaign is that there are basic elements of personalization throughout the lure. While this has been seen before in text-based threats, the fact that that the image itself contains personalization (the email username of the victim appears within the image) is novel. Additionally, the phishing URL itself contains references to the email username within the path of the URL.
These factors together suggest that the attackers behind this campaign are using substantial levels of automation in order to generate these dynamic lures and landing pages. This highlights a trend that the industry has seen for some time: attackers are continually working to further blur the traditional lines between a non-targeted phishing campaign and a targeted spear phishing campaign. These “semi-targeted" campaigns can increase the success rate of attacks against unwary users while greatly reducing the level of effort required by traditional targeted attacks.
Although there are indicators visible within the body of the phishing lure, email security technology can't typically extract information pulled from an image. Because of this, the listed phone numbers, prompt message, and other information are not effective for detecting the lure. The attachment hashes and filenames are also dynamic, impeding effective detection.
Interestingly, in several of the observed subject lines, the subject includes a timestamp which is identical to the delivery time of the email. This adds a small element of added realism to the premise that this is a new voicemail message.
Industries and Targets Observed
This threat actor is targeting organizations of different sizes and across a variety of industries. While basic personalization of the lure is taking place, it is minimal and easily accomplished via automation. For this reason, it does not appear that this campaign is targeted at particular organizations or sectors.
Observed indicators
The following indicators have been identified during our analysis of the active campaign:
Subject Lines
The threat actor is using a variety of subject lines in the campaign.
Observed Formats include:
- New email Received on:
: , - New mail on:
: , - New email from:
Attachment
The attachment included with the phishing lure does mirror existing campaigns. The observed attachments will redirect a victim to a fake Microsoft Office 365 login page in an attempt to steal their credentials. The technique, a meta refresh, is designed to bounce the victim to a phishing page. We have seen these tactics for years, but they still often bypass common methods of blocking URL redirection.
By including the payload as an attachment, it also serves as an obfuscation method to prevent URL hovering, as well as defeats email filtering technology that only scans the email body and not attachments.
Phishing Site
Multiple compromised domains are being used to host the malicious phishing URL, but all malicious URLs share a similar structure. The destination URL also has a personalized component within the URL. An example is shown below.
hXXps://mobilesoftint{dot}com/accounts/
There are a few reasons for personalizing URLs like this. First, it reduces the effectiveness of blocking individual URLs if each victim receives one that is unique. While this problem can be overcome by blocking at a more general level, this approach requires caution as overzealous blocking can interfere with normal business operation for an organization. Additionally, the attacker may be monitoring which URLs are being interacted with for intelligence gathering purposes. If a victim is seen to be interacting with lures, they may be seen as more susceptible, and added to a target list for future attacks. There are additional reasons for dynamically generating URLs, but their attributes are not present in this campaign.
Sender Domain
Lures have been observed coming from multiple email accounts. Based on the naming convention of these sending accounts, they are likely to be actual user accounts that have been compromised (unlike in the Office 365 campaign we detected last month). Most likely these email accounts were victims of a previous phishing scam. One common element to all observed sending addresses is that they all belong to Japanese organizations based on the .co.jp TLD.
Handling Related Threats
Because this phishing lure abuses images rather than text, email security technology will not be sufficient in blocking the active campaign. On top of this, the senders are from breached, personal email accounts and the phishing sites are on compromised domains. For these reasons, both Security Awareness Training and a solution like Email Incident Response is paramount in protecting your organization.
Additional Resources: