Wells Fargo Home Mortgage Payoff Quote Contains Credential Phishing Attachment

In this email, the attacker is impersonating Wells Fargo home mortgage and provides an attachment containing a supposed payoff quote for the recipient’s home mortgage. The sending email address spoofs the same sending domain as the recipient email address, and the sender’s display name is changed to give the recipient the impression the email is coming from a @wellsfargo.com email address.

When a recipient opens the HTML attachment, they are presented with a phishing page that is prefilled with their email address and asks them to enter their password because they’re “accessing sensitive info.”

There is a URL within the attachment that has never been detected as malicious, allowing it to bypass traditional tools that look for known bad indicators. The spoofed domain does not have an effective DMARC policy in place to reject any unauthorized senders that attempt to send emails from an address on the domain.

It is necessary to use a behavioral system to prevent attacks that use URLs that have never been seen before. A cloud email security platform can identify malicious emails by understanding the intent of the link as well as other signals acquired through content analysis. By integrating with the Microsoft API, email security solutions can use ActiveDirectory to process organizational charts and understand vendor emails to detect when real estate vendors are being impersonated.

As soon as an employee enters their credentials, attackers have full access to their email account, which they can use to access sensitive information or to launch other attacks on coworkers, customers, or vendors. This also provides access to the entire Microsoft environment, where attackers can search through documents in SharePoint or OneDrive, or find information in Microsoft Teams.