During the past week, we have seen a new authority phishing campaign emerge at a worldwide scale, with a complete disregard for countries and industries. This campaign has been advertised through several different templates. All of the messages clearly come from the same larger attack wave. We have noticed that these phishing emails were sent for the first time on the 15th of September, and we are still seeing the same campaign going around.All of the templates in this campaign are impersonations of authority figures within the recipients’ companies. The core idea in all of the templates is to shortly introduce an interesting topic and make the recipient curious enough to click on the link. The link would lead people to a PDF document containing more information.
The specific topic that raises curiosity varies. Some of the phishing emails are about lay-offs, annual bonus reports, or advice regarding customer complaint situations.What is common in all of these emails is the short but effective introduction. The attacker starts the messages in an interesting way. This is perhaps the most visible in the templates concerned with lay-offs. The recipient immediately reads that their contract with the company has been terminated. The topic is very relevant in these times, when many companies are struggling. Since nobody wants to read this sentence sent in an email, this is highly effective in raising emotions and urgent curiosity.
The templates used for these phishing emails share a very simple format. The emails look simple enough to convince the recipient, at a quick glance, that they are real because they look simple enough to be plausible. There are no graphics such as logos or properly personalized signatures that could make the emails look more convincing. The sender of the email is also not spoofed, which certainly adds another layer of trustworthiness to the email.
Below you will find some (anonymized) examples of what the phishing emails looked like in this ongoing campaign. The real names of the recipients have been changed to ‘Bob’, and the names of the companies have been changed to ‘Hoxhunt’. The impersonated names in the signatures of the emails are fake.
The links that the recipients were supposed to click on were links to Google Docs. We presume that the recipient would have found some kind of a graphic there requesting them to follow another link in order to log in with their credentials and view the document. The landing pages were unfortunately down already, so we did not get a chance to see where the links led to. All of these messages were sent from Sendgrid, which is a popular email delivery service for companies. Unfortunately, a lot of phishing messages like these are sent from Sendgrid. In a few attack vectors, the links led to sites hosted on brizicam.com.