New Phishing campaigns are using a CIM Finance account to steal user credentials; in these attacks, targeted users receive a phishing email that tells them they need to update their office 365.
The attackers use a fake Microsoft form hosted on google with an authentic SSL certificate to trick recipients into thinking they are connected to a Microsoft page linked to their company.
The recipients see a notification from the IT corporate team in the phishing email which tells them that they need to update their Office 365 because it has expired. The administrator claims that if not immediately updated, the users’ account would be suspended causing them to panic and click on the link, therefore, expose their credentials to the cybercriminals.
Once they click on the link a fake Microsoft Office365 login page appears which does not correspond to the original Microsoft Office365 visual programming; half of the words appear capitalized and asterisks are used in place of some letters.
According to a report by the cybersecurity company, Cofense, “when end users type their credentials, they appear in plain text as opposed to asterisks, raising a red flag the login page is not real.” The user credentials are sent to the attackers via google drive.
There have been previous attacks that used office 365 to trick users into clicking on a malicious link that is supposed to open a voice message.
Attackers use CIM Finance to send phishing emails
Attackers send the phishing emails through “a compromised financial email account with privileged access to CIM Finance” Cofense says; CIM Finance is a finance company that offers financial services to small and medium-sized enterprises (SMEs), large corporations and consumers.
The attackers exploited the CIM Finance website to declare host arrays made up of phishing emails. Arrays are used to simplify programming and boost performance. By using arrays, large collections of data could be manipulated with a single SQL statement.
The attackers managed to bypass the email authentication process by using CIM Finance as a verified sender.
“Since the emails come from a legitimate source, they pass basic email security checks such as DKIM and SPF,” Cofense explains.
SPF is a text record that contains a list of authenticated servers that are allowed to send mail on behalf of a domain. Since the phishing emails came from the CIM Finance server which is verified as a legitimate source, the server was authenticated as an approved sender.
DKIM is used to confirm emails were not changed in transit between the sending and recipient servers by utilizing multiple antiphishing and antispam methods such as adding a digital signature.