In the past 48 hours, PhishLabs has identified and successfully thwarted a sophisticated phishing campaign targeting the Office 365 credentials of high-value targets. This campaign is still active, and security teams should familiarize themselves with the tactics, indicators, and remain vigilant. In these attacks, the threat actor(s) is posing as private equity firms submitting non-disclosure agreements. Our intelligence has resulted in the detection of multiple phishing attacks that use an email impersonating either a private equity firm or VC, with the goal of stealing the victim's Office 365 credentials. The email lure is sophisticated and well-designed with multiple variations observed. The spear phishing attack uses real contact details and information from employees from each firm, all of which were found in the form of V Cards on the company websites. To avoid detection, the attacks are distributed to only a small number of users within the target organization. An example of one of the real phishing lures can be seen below. We have redacted some information for privacy reasons.
The phishing lure in question uses a combination of impersonation of real employees and PE firms or VCs, an attachment, and a single line of text that does not contain any spelling or grammatical errors. The attachment in question poses as a signed NDA; however, it brings victims to a look-alike domain. It also includes an image-based link similar to those used for online file-sharing services. To add authenticity, the URL uses a recently registered domain that impersonates the domain of the purported sender's firm. Hxxps://www.crossplanecapitals[.]com, hxxps://www.crossplanecapitals[.]org, and hxxps://eddgemont[.]com have been observed so far. These links redirect to hxxps://serversecuredhttp[.]com. This site poses as Box (content management and collaboration site commonly used to share documents). The site instructs the victim to login using their Office 365 account in order to download the document.
The look-alike domain with the ‘s' is used in the link to the facade document (not visible in the screenshot). The document link goes to hxxps://crossplanecapitals[.]com, which then redirects to hxxps://serversecuredhttp[.]com. We suspect this technique is used to make the document link appear legitimate.
Indicators
- hxxps://serversecuredhttp[.]com
- hxxps://crossplanecapitals[.]com
- hxxps://crossplanecapitals[.]org
- hxxps://eddgemont[.]com
Mitigation Suggestions
PhishLabs recommends that organizations take the following action to help safeguard against this active campaign:
- Scan for indicators across all user inboxes
- Implement email filtering measures to block delivery of emails containing the indicators above
- Block web traffic associated with the indicators
- Reset Office 365 credentials of individuals that received the email lure or visited the malicious URLs
This spear phishing campaign was detected as part of PhishLabs' Email Incident Response service. Of the service capabilities, we are able to use crowdsourced indicators and other information from across our client base to proactively mitigate threats before they reach user inboxes. Indicators are also sent via our API. To learn more about PhishLabs' Email Incident Response service, reach out to our team. Additional Resources: