A phishing campaign that targets users of Outlook Web Access and Office 365 services has collected thousands of credentials. The attackers behind the campaign used hacked SendGrid accounts to send emails that bypass spam filters because SendGrid is a trusted source that is allowed by most email threat filtering services. The attacker behind this activity, who has received the name “Compact,” has been operating since at least early 2020 and has likely collected more than 400,000 credentials in multiple campaigns. Using Zoom invites as a lure and an extensive list of email addresses, the phishing campaign operators deliver messages from hacked accounts on the SendGrid cloud-based email delivery platform. Early operations use compromised SendGrid accounts to deliver the phishing email and have since moved to Mailgun, a developer-centric email service with APIs that allows sending, receiving, and tracking messages. WMC Global believes that the switch to a separate service was determined by their collaboration with SendGrid to restore compromised accounts to legitimate owners. According to the researchers, the phishing website of the Compact campaign had distinct fingerprints in the code that permitted monitoring and detecting of a new site as soon as it became live. They found a landing site impersonating Outlook Web App in December 2020 and another one in January 2021 that pretended to be a login page for Office 365. While the operators of the Compact campaigns appear to be technically knowledgeable, they blundered by leaving a misconfigured exfiltration script and exposing a web shell that allowed the researchers to download multiple copies of the exfiltration code.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is