Our threat analyst team discovered yesterday (December 9th, 2020) two major phishing campaigns that have hit several enterprises across Europe. We have seen several reports from thousands of users from different countries and customer organizations. According to the Whois data, both of the attacks have been originating from different Technology Institutions' servers. We assume that this could happen by attackers compromising the email servers or by getting access to someone’s corporate email account.
All the messages have been the same across all the organizations that have reported the attacks.
In this email, the attackers try to get people to click on the link to preview a document that the management shared with them.
Note: We replaced the company name with the 'Censored' textfor full confidentiality and removed the sender's email address.
Once the victim clicks the button, the link redirects the user to the attacker’s credential harvesting website. This website looks a lot like a real Microsoft login site, but you can tell that this is fake by looking at the domain in the browser’s URL field.
Nevertheless, the attack is rather apparent because of the email address/domain. If the message had been shared through Sharepoint, the email address would be either sharepointonline.com or microsoft.com.
This attack was phishing for login credentials. It’s a basic type of phishing attack, and those that hover over the link and watch out for the sender’s email address could easily recognize and would not fall for it.
Note: We replaced the company name with the 'Censored' textfor full confidentiality and removed the sender's email address.
To remain safe, remember to be cautious with all emails that you receive. Do the following:
Finally, if the email has raised concerns, remember to report it to your security team according to your organization’s guidelines.