Information Security Tip:
What to look for in order to avoid phishing attempts. Using a hacked account in order to phish for email usernames and passwords. This method is becoming more popular among malicious actors as it capitalizes on user’s comfort with file sharing platforms, and recognized authentication methods such as Office 365.
The message is sent using a hacked user account, and included an attachment called Payment Swift.xlsx. the XLSX extension means that this attachment is an excel workbook or spreadsheet.
In addition to the fact that this message was not expected by the user, we can see that the message also contains the following characteristics of a Phishing Email:
- A vague subject line (INVOICE 2020)
- Vague Attachment Name (Payment swift.xlsx)
- Non-personalized greeting (Good morning _____)
- Different text sizes and fonts within the message body.
- Vague message body and instructions
The attachment of the email was analyzed in a safe and isolated environment, and the image below shows what it contained.
We can see that the attachment itself does not contain any actual content, and instead has an image with a Hyper-link to the hacked users Microsoft SharePoint account. This is a common tactic to make the user think that the actual content is hosted on Microsoft OneDrive, and that the user will need to sign in.
This is not the normal protocol for accessing documents on OneDrive, and requests for authentication will never be presented within an email attachment or shared document.
When the link is clicked , the user’s browser opens into the hacked SharePoint, which is a mirror image of the included email attachment, and also contains nothing but a link prompting the user to sign into Microsoft in order to access the documents.
In the document located in SharePoint, the embedded link resolves to the URL: admarco[dot]gb[dot]net. The URL is a Known phishing URL but has been edited to look like a legitimate Microsoft Login page.
The image below is not a screenshot of the actual page presented by this phishing message but is an example of how convincing these forged login pages can be. The red box around the address bar shows that this is not a real Microsoft login page, which should read Login.microsoftonline.com.
The user is prompted for their Microsoft password the first time and told that their username or password is incorrect. The user’s password is not really incorrect, but having the user enter their password again serves as a confirmation method to the malicious actor, providing more confidence that the password that the user has entered is, in fact, their Microsoft password. Once the user enters their password again, their credentials are automatically accepted.
Once the password is accepted, the user is redirected to a real Microsoft login page, without being shown a document, and leaving them confused. If the user’s password is not reset, their OneDrive and SharePoint could also be used to send out similar messages to unsuspecting users.
The lessons that should be taken from this phishing email are:
- Be wary of messages with vague subject lines or attachment names
- Non-personalized greetings could indicate that the message is part of a phishing campaign
- Look for strange formatting within email messages (different fonts and text sizes)
- Legitimate shared documents will NEVER prompt you to login using a link within the document
- Before entering your password into a Microsoft Login page, make sure the URL address bar reads “login.microsoft.com”
- Never click any links that you do not recognize. When in doubt, hover your mouse over the link, or report the message to ITSCyberSecurity@cobleskill.edu.
If you receive any messages that you do not recognize or were not expecting, please forward the message to ITSCyberSecurity@cobleskill.edu.