Attacker used a legitimate — but likely deprecated — domain to sneak malicious emails past security filters, vendor says.

3 Min Read
Image of a red envelope on a hook
Source: JLStock via Shutterstock

Some 75,000 email inboxes have been impacted so far in what appears to be an email phishing campaign motivated by credential harvesting.

Security researchers from Armorblox this week reported observing the attack on customer systems across Office 365, Microsoft Exchange, and Google Workspace environments. Many of the attacks involved the threat actors targeting small groups of employees from different departments within an organization in an apparent attempt to keep a low profile. Individuals targeted in the campaign include the CFO of a company, a senior vice president of finance and operations at a wellness company, a director of operations, and a professor.

Abhishek Iyer, director of product marketing at Armorblox, says there's little evidence the attackers are going after any specific industry. But so far, the attacks have affected Armorblox customers across multiple verticals, including energy, local government, higher education, software, and electrical construction.

Iyer says the attacks on individuals within organizations appear targeted. The victims represent a good mix of senior leadership and regular employees from across the enterprise. 

"These employees are unlikely to communicate often with each other when they receive an email that looks suspicious," Iyer says. "This increases the likelihood of someone falling prey to the attack."

Phishing remains one of the most employed tactics among threat actors to gain an initial foothold on a target network. Though phishing is perhaps one of the best understood initial attack vectors, organizations have had a hard time addressing the threat because of the continued susceptibility of individual users to phishing emails.

In many instances, attackers have also gotten a lot more sophisticated in crafting phishing lures and have increasingly begun combining email phishing with SMS-based phishing (smshing) and voice or phone-based phishing (vishing). According to the Anti Phishing Working Group (APWG), phishing activity doubled in 2020 and has remained at a steady but high level through the first half of this year. APWG says it observed 222,127 phishing attacks in June 2021 alone, making it the third-worst month in the organization's reporting history. Financial institutions and social media sectors were the most frequently targeted during the last quarter.

The attack that Armorblox reported this week involved the use of a lure that spoofed an encrypted message notification from email encryption and security vendor Zix. The notification, while not identical to a legitimate Zix notification, bore enough resemblance to the original to lead recipients into believing they had received a valid email. The domain from which the threat actors send the malicious email belonged to a religious organization established in 1994 and is likely a deprecated or old version of the organization's parent domain.

Legitimate Domain
"If we were to pinpoint any one reason for the email slipping past existing security controls, it would be using a legitimate domain to send the email," Iyer notes. "This allowed the email to bypass all authentication checks." The rest of the campaign — like most phishing scams — relied on brand impersonation and social engineering to trick users into clicking on the spoofed Zix notification.

In the attacks that Armorblox observed, the threat actor appears to have deliberately avoided targeting multiple employees from within a single department. Instead, they appear to have chosen their victims from across multiple departments to increase their odds of someone falling for the malicious email.

"The targets are isolated enough — ether by department or hierarchy — to not discuss the suspicious email with one another," Iyer says. "Like most phishing attacks, there's little that's new in the tactics that the threat actors is using. "The interesting thing about successful email attacks is that they rarely use never-before-seen TTPs to do damage," he says.

From a security controls perspective, he adds, it's important for organizations to bolster native email security controls with capabilities for spotting behavior, language, communication, and other patterns that can better help identify a phishing attempt.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights