Researchers have discovered a new scam where attackers are imitating private equity firms to steal user’s Office 365 login credentials. The Private Equity (PE) firms that are being imitated are Crossplane Capital and Edgemont Partners. Multiple phishing email formats have been found that are being used to execute the scam. It was noted that the authors behind the scam use a combination of impersonation of actual employees and PE firms, and an attachment and a text line that is free of grammatical errors. In an effort to create a sense of urgency and authenticity, the email includes a link to a signed non-disclosure agreement (NDA) which contains an image-based link similar to those used for online file-sharing services. To make the email look authentic, the URL for the NDA used a recently registered domain that impersonates the domain of the real PE firms. The fake links redirect the victims to a scammer-controlled site. The scam site poses as Box, which is a content management and collaboration site that is commonly used to share documents. The scam site instructs users to enter their Office 365 credentials to download the document.
To safeguard themselves against this campaign, organizations should scan for indicators such as malicious links across all users. Implement email filtering measures to block malicious emails. Block web traffic associated with the spoof indicator and force a password change to users that have fallen victim to scams such as this.