You user gets an important business document to respond to. It is deemed safe because the email security layer has let it in, it comes from a known email contact and all they need to do is download the “important” document.
They get redirected to a file sharing service which gets them to download the document. When it is opened the content is blurred. They’re redirected again through a known security tool (to build trust) and are asked to verify their credentials to get to the important document on a fake login page.
At this point the credentials re harvested and the criminals are in. They move at speed, immediately adding rules and sending thousands of emails to the contacts cross every address book you user has access to. Re-launching their attack automatically over and over again.
The next victim, one of your customers, blames you for their breach. The attackers take minutes to destroy the reputation you have built over many years.
We have seen this exact attack many times in the last week and more businesses are being hit every single day. The initial phishing email has been tested across multiple email security providers. It does not contain anything malicious, neither does any of the first three re-directs. Using speed and automation the criminals are proving to be highly effective. Causing major problems at any business that does not have a comprehensive resilience programme covering all areas of digital risk.
If you rely on email security only, you will be hit. If you rely on end point protection only, you will be hit. If you do not actively monitor access, rules and changes, you will be hit. A structured resilience programme provides the layered protection you need to stay safe.
This attack is not a new method, but the speed and automation of the attack is. This is causing major issues to organisations who have not built resilience across their environment to stop the spread of this attack.
How does it start?
This multi-stage redirection technique is designed to evade detection and ultimately harvest user credentials through a fake login interface.
The original email is sent from a compromised account, allowing it to pass all security checks. The URL in the email is not malicious but acts as the first step in a series of redirection steps to evade detection.
- Email Subject: [Company Name] Document
- Redirect Process:
- The initial link in the email is benign and not flagged as malicious.
The urgency is created as this important document expires in 1 week.
Clicking this link redirects the user to a second link, that displays as a file sharing site. This presents an option to download an attachment
This is blurred and looks “official”. Selecting View Here option leads to a third redirect, which is concealed behind basic Cloudflare protection, building trust with the recipient.
Finally, the user is taken to a fake Microsoft 365 login page, where they are prompted to enter their credentials.
At this point the attacker has you credentials, and their automated attack spreads itself while they lurk in your environment looking for data to steal, encrypt and hold for ransom.
Be safe out there.