The majority of all phishing attacks are of the credential harvesting variety.
Credential harvesting works by hackers trying to find a way to get a victim to divulge personal information. This can be email accounts, bank accounts, Social Security numbers or credit card information.
Oftentimes, attackers will impersonate a trusted brand or person. That trust gives implicit permission to end-users to hand over their credentials to a spoofed login page.
In 2019, according to Avanan research, credential harvesting attacks made up 40.9% of all phishing. In 2021, that number reached 54%.
Starting in November 2021, Avanan observed a new credential harvesting attack that spoofs a message from Microsoft claiming that some emails have been blocked. In this attack brief, Avanan will analyze the company’s most recent discovery of a new credential harvesting attack.
Attack
In this attack, hackers are utilizing social engineering and impersonation to bypass email scanners and induce the end-user to hand over credentials.
In this attack, hackers present a spoofed page that looks like it comes from Microsoft. The message uses spoofed logos of both Microsoft and Office 365 to fool the user.
Email Example #1
In this email, hackers present what looks like a message from Microsoft, telling the end-user that some messages have been blocked. With just a quick click, those messages can be unlocked:
This email purports to be a notification helping to unlock messages.
When clicking on the link, it leads to this page that now has a 404 error:
Techniques
In this email attack, hackers have used impersonation to fool scanners and end-users.
In particular, they have spoofed Microsoft. According to Check Point Research, Microsoft is the most spoofed brand in the world, related to 29% of all phishing attacks globally.
Additionally, the URL spoofs SendGrid. SendGrid is an Email Delivery Service. Companies rely on these providers to deliver business emails--like sales and marketing notes-- to audiences. Since marketing and sales emails often get caught by filters, EDS solutions lend credibility to get into the inbox.
Credibility can come in the form of a high domain history, valid SPF/DKIM checks and more. We've seen attacks take advantage of that credibility, such as in the PhishGun attack.
In this case, that credibility is lacking.
Our analysis found a failed SPF check, missing DMARC, and an insignificant historical reputation.
Best Practices: Guidance and Recommendations
In order to guard against these attacks, security professionals can do the following: