Although we currently have only identified it in O365 environments, there is nothing to prevent this scheme from propagating to G Suite and other environments.
The GreatHorn security team is currently monitoring this attack and providing automated support to clients.
- The initial point of infection is via a phishing email from senders “[email protected]” and “[email protected]”. The email takes a number of different forms, including the example on the right, and includes a link to a PDF that is currently being hosted on multiple compromised Sharepoint file hosting sites, as well as on free PDF hosting websites such as freepdfhosting.com.
- The destination of the supposed voicemail link is a PDF, branded as a Verizon document, containing a second step URL that leads to a credential theft site designed to look like an Office 365 login:
Our specific recommendations:
- All customers of GreatHorn Email Security will find new policies in place in their GreatHorn Dashboard that will stop this attack by moving mail matching these patterns to Danger-phishing.
We are continuing to monitor for evidence of this attack, and will provide additional information and remediation support as our investigation continues.
As of October 17 at 11:51am EDT, neither the documents, the URLs where they’re hosted, nor the credential theft links themselves are being flagged by threat intelligence blacklists. While threat intelligence is an important part of any email security strategy, they are often ineffective at protecting against zero-day threats and phishing attacks.
If you have any questions or concerns, please feel free to contact the GreatHorn team at [email protected].
LIVE WEBINAR | NOV 1 | 2 PM ET / 11 AM PT