The number of services using secure  messages for communications has increased in recent years, with banks and software companies using them most frequently. Valid secure messages from these services rarely have the same format, and attackers take advantage of this lack of standardization to complete tehri scams.

This attack impersonates “Admin Security” and emulates a secure message in the actual email, stating that the message will expire in two days and encouraging the recipient to click the link to open. Upon doing so, the target is redirected to a Microsoft 365 phishing page where they are asked to enter their credentials, theoretically in order to view the message.

Status Bar Dots
62b38083bf049bf397197f9b 799385341
Status Bar Dots
62b38083bf049b26af197f9c 1935120501

Why It Bypassed Traditional Security

The email is sent from a legitimate domain and the phishing link itself uses a never-before-seen URL from a short-lived Azure site, making it difficult for legacy solutions to detect. Furthermore, the rest of the email is text-based, with the only other links sending users to legitimate sites owned by the impersonated entity. 

Detecting the Attack

A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis and display name analysis, a cloud email security platform understands when an email may be malicious.  

Risk to Organization

If the target were to open the secure message and enter their credentials, the attackers would have full access to the Microsoft 365 account. From there, they could use it to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Self-Addressed Spoofed Email

Theme

Secure Message