We have heard it many times that Email Phishing and Social Engineering are the hardest threat vectors to remediate. Or should I say, there is no perfect solution against them since they target end users and their security awareness. Not even the cybersecurity training firm giant, SANS, is exempted to falling victim to a phishing email. You can find the story regarding SANS data breach here. Proofpoint, a leading cybersecurity company posted the info-graphic below on their website:
I want to divert from my usual tryhackme or hackthebox posts this time and share with you a phishing email that got past the Secure Email Gateway protection we have in place.
Below is an email that was reported to SOC as a potentially malicious email, and there are four signs of phishing in this email.
1 – The subject is tricking the receiver that the email is a matter of urgency by using the word invoice.
2 – An unusual attachment was included.
3 – The message is demanding for urgent action, thus the “See attached”.
4 – The scammer forgot to include at least a name for his signature, and a punctuation mark is missing.
But, there are a couple of tricky information included that will make the recipient think about the legitimacy of the email:
1 – The sender’s Display Name and email address seem legit. I did a research online to check for a company called mysolutionsteam.com:
2 – Researched the phone number that was included in the email, and it is a real phone number of the company. This shows that the scammer did some research of the company that it was trying to impersonate:
- And finally, did a simple OSINT by checking LinkedIn, and sure enough there is a person by the name of Tracy Converse who is located in Brandon, MS, which happened to be the address of the corporate office of the impersonated company:
Upon checking the email header, you would really think that the email came from Tracy:
Normally, I see at least the Return-Path to be different from the X-Sender and From values, so when the victim replies, then the email goes to the scammer.
Looking deeper in the email, I saw that the attachment contains two links, they are:
If the person who received this email didn’t pay much attention to the links, and if his eyes were tricked by the hostnames or domain names of “azurewebsites” and “sharepoint” and clicked on the links. Both links get redirected to the malicious subdomains of “rtigfocvxppzdsgf” and “heritageprocsp-my”. Below is the spoofed site that steals the victim’s credentials.
And, below is a legitimately-looking office 365 portal:
Two more differences between the spoofed site compared to the legitimate office365 site are:
- When we do Inspect Element of the spoofed site, this is what you see:
Now, compare it to the legit office365 landing page:
From the two screenshots above, we can tell which one is professionally done. I am not saying that a scammer cannot make it look professional, but most scammers, will not spend a lot of time fixing these type of information that regular email users don’t check when they get redirected to a website. Well, not unless it is an APT 😉
2. Looking at the View Page Source the difference between the two stands out
Now, let’s look deeper in the email’s header for signs of a potentially malicious email:
- SPF and DKIM failed:
2. The email claims to be from the US, but the originating IP of the email was from South Africa:
The question now is, how does someone who is in South Africa impersonates an employee of a US-based company? Information nowadays, are easy to find online. Just a little Googling, you can find a person’s name, email and company they are working for. Then use a fake email generator to spoof an email. Below I will show you a spoofed email coming from the same person Tracy Converse with email address of TConverse@mysolutionsteam.com and I will send a message to a test email of mine:
- Research online for some fake email generator such as deadfake. Then enter a fake person’s name and email address. Below is what I set as a fake email:
2. Here’s what I received in my test inbox:
You can see from the photos above that I received the test email with the same information as the phishing email that was reported to our SOC.
I hope you enjoyed this, and have learned something new.
From now on, I will start adding more real-life phishing attempts to my blog. It’s another way of contributing to the community with real SEG-misses that might be lurking in your environment, and hopefully it is not too late to pull those malicious email out of your users’ inboxes.
Please don’t forget to subscribe to my blog to get updates when a new post is available.