Phishing Campaign Uses Overlay Tactic for Employee Credential Theft

A recently discovered phishing campaign is relying on message quarantine emails for employee credential theft, through an overlay tactic that uses the homepage of the targeted company to disguise the malicious nature of the emails, according to new research from Cofense. 

Identified by the Cofense Phishing Defense Center, the campaign relies heavily upon message quarantine phishing: emails that imitate the technical support team of the targeted employer, by making the messages appear sent from the company’s email service. 

The messages will claim that several emails failed to properly process, which has blocked them from entering the inbox and will need to be reviewed by the employee in order to confirm the emails are valid. To evoke urgency, the messages will even state some were considered valid but are being held for deletion. 

The campaign relies on a social engineering technique designed to lure the employee into acting on the email, which asks the user to review the emails or else the held messages will be deleted after three days. 

"This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails,” researchers explained. “Potential loss of important documents or emails could make the employee more inclined to interact with this email.” 

A well-trained user may be able to spot the malicious nature of the email, as the researchers hovered over the “Review Messages Now” link sent to the employee and it shows the malicious link. 

However, if the user clicks the link, they will be directed to a phishing page that the hacker has tailored to match the targeted company. Researchers explained the threat actors have used advanced tactics to make these landing pages appear more legitimate. 

Specifically, the user is redirected to a login page from what appears to be their company’s website that, in actuality, is a fake login panel covering the site. The page is designed to put the employee at ease with interacting with the site. 

“It is also possible to interact with this page by moving outside of the overlay, showing that it is the actual page they have seen and used before,” researchers explained. “The overlay itself is attempting to prompt the user to sign in to access the company account. The entered credentials are then sent to the threat actor, giving them access to the target’s company account.” 

“Based on the analysis performed by the PDC, it was determined that each link, while still going to the same base domain, uses specific parameters to determine which web page pull, then overlays the fake login panel on top,” they added. “Depending on what company the threat actor is targeting, the link will populate the address of the original recipient of the email.” 

The researchers stress that this campaign demonstrates hackers are using all available means and resources in an effort to compromise business accounts. 

The campaign joins a host of other sophisticated phishing attacks detected in the wild in recent months, as the COVID-19 pandemic has caused a rise in enterprise mobile phishing attacks and “vishing” emails designed to take advantage of the remote workforce. 

What’s worse is that ransomware attacks delivered via phishing emails are also increasing in frequency. Hackers are using hidden text, or zero font, which allows phishing attacks to bypass email security, while two new business email compromise campaigns target executive email accounts and can even bypass multi-factor authentication. 

As phishing education and training has been proven to reduce cyber risk, healthcare entities should review spear-phishing insights from Microsoft or FBI phishing guidance for the healthcare sector. The Office for Civil Rights also released privacy and security threat resources to help providers bolster their security programs.