Check Point Email Security | Blog

ATP Miss of the Week: 2/4/21

Written by Jeremy Fuchs | February 4, 2021

Today’s ATP Miss of the Week is yet another credential harvesting attack that flew by Microsoft’s security. We have seen this exact attack over 900 times in 20 different clients who are all using ATP. 

It works like this:

The subject line reads: HP Scanned 'RNP1C184F107W63'

The attack obfuscates its “From” address by posing as a standard fax machine, but the email is actually coming from a domain registered in Latvia.

The “Read Fax” button is a link that directs the victim to a domain registered in China. That link eventually redirects the victim to a malicious website that resembles a Microsoft login portal.