Chipotle Mexican Grill’s email marketing operations were recently breached, resulting in several phishing attacks successfully deployed against Chipotle customers from a trusted domain. The structure of the attack was similar to the recent Nobelium group attack, although no evidence links the perpetrators to Nobelium. Research group Inky reported that Chipotle’s email vendor Mailgun was initially breached, resulting in a full compromise of marketing emails sent to Chipotle customers. 121 phishing emails were sent from the compromised Mailgun account between July 13 and July 16: including two vishing attacks, 14 impersonations of USAA bank to collect financial data, and 105 emails attempting to spoof Microsoft sites in order to steal access credentials. Mailgun has not yet publicly commented.
Increasingly, supply chain and other third-party compromises result in attacks from trusted sources and domains. As email security has improved, attackers have increasingly employed sophisticated strategies to bypass perimeter security. These techniques are often deployed in a mass or brute force fashion. Today’s threat environment includes such techniques for more than the largest or most valuable organizations: everyone is at risk. The majority of the phishing emails in this particular attack were attempts to steal Microsoft credentials which would likely put any of the individuals’ employers further at risk. A layered defense in-depth strategy that includes SOC monitoring and active threat hunting, such as Binary Defenses Security Operations Task Force and Threat Hunting team, is the primary method to combat perimeter attacks from trusted domains and sources.