The email also claims to have been scanned by Symantec email security, according to security provider Armorblox.
Spammers and scammers typically try to obfuscate and legitimize their malicious content in an effort to better trick people. That’s especially true with phishing emails that attempt to hide the source of their deceptive landing pages and spoof or reference a well-known company or brand. A new phishing attack analyzed by Armorblox takes advantage of Symantec to trick users into falling for the scam. In a blog post published Thursday titled “Credential Theft Using Symantec URL Rewriting,” Armorblox describes how this campaign operates.
Sent to an employee who works with real estate, the phishing email contained a link to a PDF that purportedly included bid details for an upcoming building project. Clicking on the link redirects the recipient through several pages, ending with one asking for login details. Designed to resemble Microsoft OneDrive and Adobe pages, the login page asks recipients to enter their account credentials, which are then captured by the attacker.
Beyond the use of Symantec, the attacker created a new domain for the final phishing site, allowing it to get through Microsoft’s Exchange Online Protection filters. As the login pages look like legitimate Microsoft and Adobe pages, users might enter their credentials for either type of account.
Finally, the email was targeted in the sense that it contained details about a real estate bid and was sent to an employee who works with real estate projects. If the recipient was expecting such a bid, that person could easily try to download the attached PDF file, thereby giving the attacker access to sensitive account credentials.
Users must always think twice before clicking on a link or file attachment, even if the email seems legitimate and expected. But the right security protection is also essential for safeguarding organizations from these types of attacks.
“Traditional Secure Email Gateways (SEGs) and other threat-feed based detection solutions by definition miss zero-day attacks because they may not show up in threat feeds for several hours until someone reports it as a bad URL,” Armorblox co-founder and head of engineering Arjun Sambamoorthy said. “Organizations need to look for modern email security solutions that go beyond links and look at the emails in their entirety. The ability to traverse a link down through all the redirections to the final destination and programmatically compare that with known login pages of products like Office 365 is vital to detect if login pages are being spoofed.”