The ASEC analysis team has recently discovered phishing attacks disguised as Microsoft are being sent to corporate users.
As shown in the figure below, the sender of the phishing e-mail is disguised as Microsoft, and the e-mail is distributed with the subject of “Password Expiring Notice”. The body of the e-mail says, “Your password to a certain account has expired today. Use same password to keep access to your Office365 account.”
Upon clicking the text “KEEP YOUR PASSWORD”, a screen that is identical to the Microsoft login screen appears (see Figure 2). As the e-mail address is already entered just like the actual Microsoft, users are likely to enter the password without a second thought.
When the user enters the password and clicks Sign in, the password is sent to the attacker’s server that is not related to Microsoft at all (see Figure 3). The login screen shows a message, “Sign in time limit exceeded. Verify your password again,” prompting the user to enter the password again.
The attacker gains access to the user’s e-mail account through the obtained account credentials, and as such attacks that target corporate users can steal confidential corporate information upon stealing corporate account credentials, extra caution is advised.
Users must take caution not to click attached files or URLs included in the e-mail from unknown sources.
[IOC]
– hxxps://www.secretemailsystem[.]com/ROO/
– hxxps://umu.ac[.]ug/ROO/
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information