Fake Encrypted Secure Message Spoofed in Credential Phishing Attack

The number of services using secure  messages for communications has increased in recent years, with banks and software companies using them most frequently. Valid secure messages from these services rarely have the same format, and attackers take advantage of this lack of standardization to complete tehri scams.

This attack impersonates “Admin Security” and emulates a secure message in the actual email, stating that the message will expire in two days and encouraging the recipient to click the link to open. Upon doing so, the target is redirected to a Microsoft 365 phishing page where they are asked to enter their credentials, theoretically in order to view the message.

The email is sent from a legitimate domain and the phishing link itself uses a never-before-seen URL from a short-lived Azure site, making it difficult for legacy solutions to detect. Furthermore, the rest of the email is text-based, with the only other links sending users to legitimate sites owned by the impersonated entity. 

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis and display name analysis, a cloud email security platform understands when an email may be malicious.  

If the target were to open the secure message and enter their credentials, the attackers would have full access to the Microsoft 365 account. From there, they could use it to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.