This article relates to an on-going phishing campaign, and the GreatHorn Threat Intelligence team will continue to update this page as more information becomes available.
The GreatHorn Threat Intelligence Team has discovered a massive cyberattack propagating via open redirector domains and subsidiary domains belonging to multiple global brands, spreading through tens of thousands of mailboxes and targeting business users across industries, geographies, and companies.
The Threat Intelligence Team described this campaign as a “comprehensive and multi-pronged attack,” with multiple hosting services and web servers being used to host fraudulent Office 365 login pages. Malicious links, delivered via phishing emails to regular users worldwide, are bypassing their email providers’ native security controls and slipping past nearly every legacy email security platform on the market.
“This is a pervasive and significant event. While our customers are protected, this is an attack that appears to have easily bypassed both platform controls and multiple legacy secure email gateway solutions. Widespread and utilizing multiple techniques to deceive users, this represents the kind of advanced phishing attack that necessitates a modern email security program capable of finding and interdicting threats before, during, and after an incident,” said Kevin O’Brien, CEO, and Co-Founder of GreatHorn.
These attacks attempt to steal corporate email credentials, coupled with malicious JavaScript that deploys various trojans and malware on any user who visits these pages, regardless of whether they submit their credentials or not.
The similarity across the campaigns leads the GreatHorn Threat Intelligence Team to believe it is a singular entity behind the attacks. Moreover, the attackers appear to be attempting to evade detection by spoofing well-known applications, including Microsoft Office, Zoom, Microsoft Teams, and more.
The URLs in the phishing emails sent to users vary. Some employ redirects; others point directly at the phishing kit pages. The phishing kit itself uses the same naming structure in nearly all cases: https://t.****/r/, where *** represents the domain. However, the URL path varies across individual messages, as part of a common tactic used to bypass simple blocking rules that prevent these messages from reaching users.
When a redirect is in use, initial research has indicated that the open redirect occurs on apache servers. Known issues with mod_rewrite in apache versions prior to 2.4.41 may be responsible for the redirectors’ creation, although confirmation is still outstanding as of this writing.
The phishing webpages impersonate a Microsoft Office 365 login, using the Microsoft logo and requesting that users enter their password, verify their account, or sign-in. Given this campaign’s breadth and highly targeted nature, the sophistication and complexity suggest that the attackers’ significant coordinated effort is underway. Additionally, GreatHorn’s Threat Research Intelligence Team identified attempts to deploy the Cryxos trojan on multiple browsers, including Chrome and Safari.
Currently identified domains redirecting to the phishing kit and fraudulent login pages include:
- sony-europe.com (Sony)
- lafourchette.com (TripAdvisor)
- rac.co.uk (RAC)
Static webpage services hosting the phishing kit include:
- digitaloceanspaces.com (DigitalOcean)
- firebasestorage.googleapis.com (Google)
GreatHorn recommends that security teams immediately search their organizational email for messages containing URLs that match the threat pattern (https://t.****/r/) and remove any matches immediately.
With continued analysis, the GreatHorn Threat Intelligence Team has identified senior executives and finance personnel being targeted within the phishing campaigns. For organizations who are using role-based email security, users within these roles can be placed on more restrictive policies to minimize the risk associated with these attacks.