Here are some key findings:<\/strong> <\/p>\n\n\n\n Now, let’s examine the campaign in detail, starting with the attack chain. <\/p>\n\n\n\n The attack involved four main stages: <\/p>\n\n\n\n We will explore each step of the attack and the methods used. <\/p>\n\n\n\n On May 27, 2024, while checking the inbox as part of their regular routine, one of our employees came across an email from an existing client. The message appeared as follows: <\/p>\n\n\n In this email, the attacker posing as our client asks our employee to listen to a voice message, whose transcript is unavailable. The link to the recording is provided at the top of the email. <\/p>\n\n\n\n From a phishing perspective, the email is expertly crafted to establish trust through several elements:<\/strong> <\/p>\n\n\n\n The email appears to be carefully designed, but there are two suspicious things to note:<\/strong> <\/p>\n\n\n\n After considering all the aspects of the email, our colleague made the right decision \u2013 to upload the email to the sandbox and proceed with further actions in an isolated and secure environment. <\/p>\n\n\n\n Upon uploading the email to the sandbox and following the link, our colleague landed on a Microsoft login page. At this point, things became less straightforward than they were in the email. <\/p>\n\n\n The key factors that made it appear trustworthy for the employee included:<\/strong> <\/p>\n\n\n\n On top of that, since the employee was attempting to access the audio message from an external location rather than their own computer, where they were already logged in to Microsoft services, it seemed natural to go through the login process again. <\/p>\n\n\n\n NOTE: Real credentials should never be used in a malware sandbox or any similar setting. <\/strong> <\/p>\n\n\n\n Yet, the first significant mistake was made here \u2013 not enough attention was paid to the URL in the browser’s address bar. Despite appearing “legitimate,” it has no connection to the email sender, Microsoft services, or our company\u2019s infrastructure. <\/p>\n\n\n\n Upon closer examination, if we navigate to the domain’s main page, we find a WordPress site created using a template: <\/p>\n\n\n With the help of WayBack Machine<\/a>, a digital archive of websites, we can see that the website has been updated only once, which should prompt vigilance:\u00a0<\/p>\n\n\n Plus, the site’s blog contains articles<\/a> about code debugging techniques that are unrelated to the site’s primary theme \u2013 clothing production: <\/p>\n\n\n\n It’s worth noting that the site’s color scheme resembles the client’s web page design. <\/p>\n\n\n\n Interestingly, a search on Google brought up a post<\/a> by the website creator: <\/p>\n\n\n Although we cannot definitively say at this moment whether this website was purposefully created for phishing or compromised, the likelihood of the former is high. <\/p>\n\n\n\n From here, everything proceeded as in a typical service authentication process. The employee entered their login and password, making the second mistake \u2013 completing the two-factor authentication by entering the secret code from the authenticator app: <\/p>\n\n\n Here, it’s essential to note that two-factor authentication did not protect against this proxy-style phishing attack.<\/strong> All entered data was sent to the attacker’s server, where the actual authentication took place, rather than in the secure sandbox environment. <\/p>\n\n\n\n After completing the authentication, the employee was redirected to the Outlook website with a message stating “something went wrong.” Thinking that something indeed went wrong (remember, the audio transcript was unavailable \u2013 confirming that something was actually broken), the employee decided to leave it be. <\/p>\n\n\n The employee emailed the client, stating that they were unable to listen to the audio and requested that the voice message be resent in text form. <\/p>\n\n\n\n On June 18, 2024, emails were sent from the compromised employee\u2019s account to both staff members and clients on their contact list: <\/p>\n\n\n As shown in the screenshot above, the outgoing email\u2019s quality is significantly inferior to the initial one. <\/p>\n\n\n\n Several details stand out, pointing to the phishing nature of the email:<\/strong> <\/p>\n\n\n\n The link provided in the email leads to the Dropbox file-sharing service, which also should raise suspicion. <\/p>\n\n\n\n As is often the case, publicly accessible file and note-sharing services are frequently exploited for criminal purposes by malicious actors. <\/p>\n\n\n\n\n
\n
\n
\n
Attack Chain <\/h2>\n\n\n\n
\n
\n
\n
\n
Incoming Phishing Email from a Client <\/h3>\n\n\n\n
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/1-1024x958.jpg\")
<\/figure><\/div>\n\n\n\n
\n
\n
\n
\n
\n
\n
\n
Phishing Website <\/h2>\n\n\n\n
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/2-1-1024x576.png\")
<\/figure><\/div>\n\n\n\n
\n
\n
URL Inconsistency <\/h3>\n\n\n\n
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/3-1-1024x581.png\")
<\/figure><\/div>\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/image4-4-1024x117.png\")
<\/figure><\/div>\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/5-1-1024x576.png\")
<\/figure>\n\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/6-2.png\")
<\/figure><\/div>\n\n\n2FA Completion <\/h3>\n\n\n\n
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/enter1.png\")
<\/figure><\/div>\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/8-2-1024x577.png\")
<\/figure><\/div>\n\n\nOutgoing Phishing Emails <\/h2>\n\n\n\n
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/9.jpg\")
<\/figure><\/div>\n\n\n\n
\n
\n
\n
\n
Note-Taking Dropbox Paper App <\/h3>\n\n\n\n
![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/10-1-1024x488.png\")
<\/figure><\/div>\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/11-1-1-1024x518.png\")
<\/figure>\n\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/12-1-1024x477.png\")
<\/figure><\/div>\n\n\n![\"\"](\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/06\/13-1024x306.png\")
<\/figure>\n\n\n\n