Originally discovered by the team at Heimdal Security, a new phishing campaign has been developed and used to deceive Office365 users and even users with just a Microsoft account. The phishing pages have been designed to look like the legitimate landing pages for Office365 and OneDrive. The scammers are using compromised accounts to pass off messages like “Here is the intelligence report we discussed…” or “Here is your invoice.” Typically, these emails are pertaining to an older conversation that the receiver was involved in but could create a sense of urgency due to the nature of the provided information. An attachment is included in the message that, if clicked on, will redirect to the real-looking OneDrive and Office365 pages. So far, there have been two domains that have been linked to the campaign. The first domain is “iradistribution[.]sofiatsola[.]com,” and its IP address is 220.127.116.11. It has not yet been recognized as malicious by VirusTotal. The site was originally created 15 years ago, with the most recent modifications being made around five months ago. The fact that the domains were registered for 15 years more likely indicates that the attackers took over an “aged” domain to avoid security controls that automatically block newly registered domains. The second domain is “markaldriedgehomes[.]com with IP addresses 18.104.22.168 and 22.214.171.124. The admin’s email address is [email protected].
Companies should consider running regular training sessions that involve simulated phishing campaigns targeting their employees. This will help them recognize what some of the campaigns look like and how they should respond to them. Even though a scanner may not have caught it in this case, a spam filter should be used as well, this will help detect viruses and mail from blank senders, which is when people receive emails that show the sender email is unavailable. Web filters are also a good suggestion because they will block employees from trying to visit malicious websites.