In a Twitter thread, Microsoft provided insight into an ongoing spam campaign that takes advantage of compromised email marketing services such as SendGrid and Amazon SES. Because these services are legitimate, Secure Email Gateways (SEGs) won’t distinguish the sender’s content as the email marketing service is genuine on the surface. This campaign is also concerning in many ways as it also takes advantage of many who are working from home by utilizing video conference invite lures. It is estimated that approximately 400,000 credentials have been collected using these techniques in tandem.
Analyst Notes
Protecting an organization against a threat such as this will primarily rely on a couple of critical items. The first item focuses on content filtering for all emails or external senders. In this case, the lures focus on video conferencing, which should rarely ever come via marketing service. Along the same vein, the second item is built by providing users with knowledge. Enabling users with the ability to distinguish things like format, content, spelling, unusual domains in links, and senders can allow users to help catch and report phishing emails sent to an organization.
Reference:
https://www.wmcglobal.com/blog/the-compact-campaign
Microsoft Defender for Office 365 detects this phishing campaign. Because this campaign uses compromised email marketing accounts, we strongly recommend orgs to review mail flow rules for broad exceptions that may be letting phishing emails through. https://t.co/Eq9lillfGU
— Microsoft Threat Intelligence (@MsftSecIntel) March 22, 2021
https://www.bleepingcomputer.com/news/security/microsoft-warns-of-phishing-attacks-bypassing-email-gateways/