Received a different type of phish today I haven't seen in the past so I thought I would share, as its interestingly crafted, and consists of 2 compromised accounts in 2 different organisations, and especially important for sales people who receive bid requests. I received an unexpected (first warning sign) bid request this morning, it was from a client I have had many dealings with before (The CEO there) so not a major red flag, inviting me to access bid request details (again I get many of these requests come in):
Upon accessing the link it took me to a OneDrive site for another user called Travis and the address is RRLegal, not the clients expected OneDrive (alarm bells activate):
Using OneDrive and SharePoint are common TTP's used by threat actors for some time now. Accessing the link, you will notice its actually calling an Outlook object:
Which in turn took me to a well-crafted Phishing website imitating M365 with the domain urbanentertainmentfo.com.de (hosted on cloudflare). The background was made to look like a document to convince the victim to provide credentials to see the 'bid document' (nice touch):
Detonating in app.any.run, once you enter creds, it just states your account details are invalid.
and pops you back to the same page, obviously harvesting the credentials.
These attacks using clone phishing tactics and compromised boxes are super common these days, as you can see, attackers now leverage multiple compromised accounts to deliver attacks (not just a single mailbox and onedrive location) with the goal to get you to another compromised account and location (in this case rrlegal) asap to avoid suspicion from the first clients mailbox (the 'bid requestor').
Needless to say I have contacted both organisations to advise them of these emails. :)
IoCs
https://rrlegal7737-my.sharepoint.com/
https://urbanentertainmentfo.com.de
Mitigation Techniques:
Employee Awareness and Regular Phishing Exercises (obviously)
Foster a culture of Information Sharing and sharing of near misses (this would be a good example!)
Educate your users on using services like app.any.run to detonate suspect links and files (not sensitive company files though)
Email filtering (wont typically stop well crafted ones like these though) but does play a part here.
Internal policies and procedures to perform verification of requests
All of these and more are obviously discussed in my new book out soon! :)
Comments