Using Genuine Business Domains and Legitimate Services to Harvest Credentials



A KnowBe4 Threat Lab Publication
Authors: Jeewan Singh Jalal, Anand Bodke, and Martin Kraemer

Phishing Campaign Stealing Email CredentialsExecutive Summary
The KnowBe4 Threat Lab analyzed a sophisticated phishing campaign targeting multiple organizations to harvest Microsoft credentials.

Threat actors utilized a compromised domain, its subdomains, bulk email services, and open redirect vulnerability to evade detection and increase click success rates.

The campaign was active until October 3, 2024, underscoring the need for ongoing cybersecurity culture adaptation against evolving threats.

Threat actors compromise legitimate business domains to benefit from an established reputation, bypass email security gateways, and hide from investigations that often shy away from legitimate services. In this case, the attackers exploited existing business infrastructure to run a fully configured email delivery offering that passed SPF, DKIM, and DMARC security policies. The attackers created subdomains, abusing dormant CNAME entries, and compromising the DNS administration console.

The attackers used a diverse set of tactics and techniques to redirect users to their phishing landing page. Diverse tactics are used to evade email security offerings and to increase the chances of successful social engineering with targets. The phishing landing page was linked through QR codes in attachments, in hidden JavaScript, through attachments with HTML redirects, and by exploiting an open redirect of a legitimate URL.

Attackers continuously develop new tactics, techniques, and procedures to bypass email security solutions and penetrate employee inboxes. Well-guarded organizations leverage open-source, machine, and human intelligence to improve the security of their email gateways. Cyber resilient organizations also train their users to resist social engineering attacks by spotting red flags and by exercising emotional intelligence and critical thinking.

Relevant Numbers
This campaign was observed from October 2nd to 3rd, 2024. The majority of 170+ reported emails that were attributed to this campaign were submitted from organizations in the finance and healthcare sectors, predominantly (90%) located in the United States.

We noticed different payloads with HTML attachments that redirected to phishing landing pages being the most common among them (27). Other payloads included PDF files containing QR codes (4) and the abuse of legitimate URLs (4). Emails that included hidden JavaScript in the email body and imitations of MS Teams notifications were also included, though their prevalence requires further investigation.

Technical Details
This campaign abuses genuine business addresses and legitimate services to deliver phishing emails and to achieve the end goal of harvesting Microsoft credentials (Figure 1).

Screenshot of the Microsoft branded phishing landing page

Key Campaign Characteristics
The campaign started on October 2, 2024 around 11:30 PM UTC. The emails were sent to various organizations that had the following characteristics:

  • From: info@transactional.beckermedia.net
  • From Name: The display names were different for most of the reported emails
  • Email body: Each organization has received unique email templates where all contain an initial URL for the final phishing landing page
  • Subject: Subjects were also unique to each organization and its sender
  • The techniques the attacker used in the emails were the exploitation of open redirects via legitimate web services and the compromise of trusted domains of legitimate businesses
  • As per MITRE ATT&CK, the tactic used by threat actors is Reconnaissance and Technique is Phishing for Information by Spear Phishing Link and Spear Phishing Attachment
  • As per CWE, CWE-601: URL Redirection to Untrusted Site ('Open Redirect') is the weakness the attacker exploited. This happens commonly because the web service developer has not properly validated the input that was supplied
  • The final landing page was an MS login page aimed at harvesting credentials and sessions of successful authentication

Tactics 
Threat actors prefer compromising legitimate businesses for their campaigns due to:

  • Established domain reputation and age
  • Hesitation to block legitimate domains, avoiding business disruption
  • Ability to bypass security scanners relying on domain reputation
  • Complicating investigations by obscuring the attack's origin
  • Good reputation and whitelisting across a major of security vendors
  • Ability to bypass email security gateways until reported
  • Quick account creation with minimal verification
  • Higher click rates compared to attacker-owned infrastructure
  • Anonymity, as investigations often stop at these legitimate services

Tactics employed:

  • Exploit existing business infrastructure
  • Create subdomains by: 
    • Abusing dormant CNAME entries 
    • Compromising DNS administration consoles

In this campaign, we observed the attacker compromising the DNS admin console to create a subdomain and a TXT record, enabling the use of Mailgun email services for malicious purposes.

Figure 2: Subdomain entry created for the legitimate business and configured for Mailgun email sending service.

Also, we observed a properly configured email delivery offering,  Mailgun, which resulted in a bypass of security policies relying on these authentications since they had valid SPF, DKIM, and DMARC.

Delivery Methods
In this campaign, we have observed that the threat actor has deployed various delivery mechanisms as listed below to achieve a higher click rate.

1. HTML attachment redirecting to phishing landing page once opened.


Figure 3: Template with blank email body and malicious HTML attachments containing link to redirect

2. PDF attachment containing QR code which once scanned redirect to phishing landing page.

Figure 4: PDF attachment with QR utilizing open redirect to phishing landing page

3. Email body containing hidden JavaScript code to redirect to a phishing landing page once opened in an HTML viewer.

Figure 5: Hidden javascript preview redirecting to phishing landing page

4. Abuse of legitimate URL for open redirect to phishing landing page.

Figure 6: Open redirection of legitimate URL to phishing landing page

5. Impersonation of MS notification for a message received with a link to a phishing landing page.

Figure 7: Impersonation of MS notification

Recommendations

  1. Use Endpoint Detection and Response (EDR) to detect unusual behavior and malicious software
  2. Monitor DNS entries to detect unexpected changes
  3. Monitor outgoing email traffic for anomalies that can be symptoms of compromised email accounts
  4. Train your workforce to resist social engineering, spot phishing red flags, preview QR codes, be cautious with attachments, and identify irregularities in emails
  5. Shape a security culture that facilitates proactive user behavior

About the Threat Lab
KnowBe4 Threat Labs specializes in researching and mitigating email threats and phishing attacks, utilizing a combination of expert analysis and crowdsourced intelligence. The team of seasoned cybersecurity professionals investigates the latest phishing techniques and develops strategies to preemptively combat these threats.

By harnessing insights from a global network of participating customers, KnowBe4 Threat Labs delivers comprehensive recommendations and timely updates, empowering organizations to protect against and respond to sophisticated email-based attacks. The Threat Labs are KnowBe4’s commitment to innovation and expertise, ensuring robust defenses against the ever-evolving landscape of cyber threats.


Discover dangerous look-alike domains that could be used against you! 

Since look-alike domains are a dangerous vector for phishing attacks, it's top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential "evil domain twins" and combines the search, discovery, reporting, risk indicators, and end-user assessment with training so you can take action now.

DomainDoppelgangerResults-1Here's how it's done:

  • Get detailed results of look-alike domains found similar to your primary email domain
  • You can now quiz your users with your look-alike results
  • Get a summary PDF that contains an overview of the look-alike domains and associated risk levels discovered during the analysis
  • It only takes a few minutes to discover your “evil domain twins”!

Find Your Look-Alike Domains!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/domain-doppelganger

Topics: Phishing



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews