Multi-Stage Credential Phishing Attack Uses Office365-themed PDF Attachment and Legitimate Adobe Hosting Infrastructure

In this attack, the body of the initial email didn’t contain any text; however, based on the email subject, the supposed purpose was to share an invoice that needed to be paid. Attached to the email was a PDF document with the name “SecureDocATT.pdf” The sending email address of the message was set to match the recipient’s address and the sender’s display name contained the domain name of the recipient’s company. The email subject was personalized to include the recipient’s email username.

Had the recipient opened the PDF attachment, they would have seen an Office365-branded page, indicating the document sent via SharePoint. The instructions indicate the recipient should click on a button labeled “Access Document” to view the document.

Clicking the link, the recipient would have been directed to a webpage hosted on legitimate Adobe infrastructure. This page indicated the recipient has one new payment invoice to review and the invoice could only be “accessed after verifying the Receiver Email Ownership.”

The link labeled “Download Document” on the previous page would have taken the recipient to the last stage of the attack, which mimicked a legitimate Microsoft login page. If the recipient had entered their email address, they would have then been asked to enter their password to “verify their identity.”

The link included in the initial PDF document was hosted on legitimate Adobe infrastructure to add legitimacy, given that the service is used for normal business purposes and thus, security tools cannot add the domain to a global blocklist. Because there was no text in the body of the email, natural language processing had nothing to analyze that would indicate malicious intent. The spoofed domain did not have an effective DMARC policy in place to reject any unauthorized senders that attempt to send emails from an address on the domain.

A holistic detection system that is able to extract and analyze URLs from email attachments is required to assess the intent of any links, alongside other signals acquired through content analysis, to determine whether the email is malicious. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. The PDF attachment contained anchor text directing a user to take action on an embedded link, which is a common indicator of payload-based phishing attacks. The sending and receiving email addresses in this email appeared to be identical, which is an indicator that this message is potentially malicious.

If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.