Between 10:50am-11:00am on January 25th, GreatHorn’s threat response team identified an active, widespread phishing campaign that impersonates a Skype message. The multi-layered attack includes a .eml attachment (a tactic commonly used by attackers to get around link analysis within the main email) that links to an Office 365 credential theft site.
The attack appears to be hitting multiple users within an organization, and has been found present across multiple industries and organization sizes, using the same sender, content, and subject line.
The GreatHorn security team is currently monitoring this attack and providing automated support to clients.
Currently, here is what we know about this attack:
- The initial point of infection is via a phishing email from what appears to be a compromised account from domain marketingevolution.com. The email includes a .eml attachment that appears to be from the “Skype Message Center”.
- The .eml attachment includes a link that appears to have a primary domain of “www.worldmicro.com.br” but is redirected multiple times, ending at an Office 365 credential theft site, with a primary domain of fidelit.com.br
- Marketing Evolution is a legitimate organization, so this appears to be a compromised account via an account takeover.
- Edit: As of 12:34pm, both Chrome and Safari have updated the destination site as a suspected phishing website
GreatHorn Security Response:
- All attack emails within GreatHorn’s customer base have been removed from customer inboxes
- All customers of GreatHorn Email Security can rest assured that the attachment has been added to GreatHorn’s blacklist, ensuring that all future emails will be blocked
We are continuing to monitor for evidence of this malware and will provide additional information and remediation support as our investigation continues.
If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].