A phishing campaign that targets users of Outlook Web Access and Office 365 services has collected thousands of credentials. The attackers behind the campaign used hacked SendGrid accounts to send emails that bypass spam filters because SendGrid is a trusted source that is allowed by most email threat filtering services. The attacker behind this activity, who has received the name “Compact,” has been operating since at least early 2020 and has likely collected more than 400,000 credentials in multiple campaigns. Using Zoom invites as a lure and an extensive list of email addresses, the phishing campaign operators deliver messages from hacked accounts on the SendGrid cloud-based email delivery platform. Early operations use compromised SendGrid accounts to deliver the phishing email and have since moved to Mailgun, a developer-centric email service with APIs that allows sending, receiving, and tracking messages. WMC Global believes that the switch to a separate service was determined by their collaboration with SendGrid to restore compromised accounts to legitimate owners. According to the researchers, the phishing website of the Compact campaign had distinct fingerprints in the code that permitted monitoring and detecting of a new site as soon as it became live. They found a landing site impersonating Outlook Web App in December 2020 and another one in January 2021 that pretended to be a login page for Office 365. While the operators of the Compact campaigns appear to be technically knowledgeable, they blundered by leaving a misconfigured exfiltration script and exposing a web shell that allowed the researchers to download multiple copies of the exfiltration code.
Analyst Notes
As with most phishing emails, they will contain a link that sends the user to a landing page that asks the user to input their login credentials. If an email is received that asks the user to go to a specific page, the user can hover their mouse icon over the link to see what the address is. If the address isn’t the legitimate company’s URL, such as www.outlook.com, then the link should be treated as highly suspicious and not used. The user should then go to their browser, type in the legitimate link, and verify the email. It is also highly recommended to keep login credentials unique to each account, and use a password manager to generate random passwords that can’t be guessed. The best practice is to implement Multi-Factor Authentication (MFA) to protect accounts even when passwords are stolen.
Source Article: https://www.bleepingcomputer.com/news/security/hacked-sendgrid-accounts-used-in-phishing-attacks-to-steal-logins/
