Active Phishing Campaigns are coordinated attacks that Fortra has observed bypassing email security gateways and filtering tools. The following analysis includes examples, high-level details, and associated threat indicators.
Sample Email Lure
Analysis: In this campaign, the attack begins with a blank email containing only the sentence “See important employment document for your review”. This content is designed to create a sense of urgency and curiosity, prompting the recipient to act quickly and click on the PDF document. All the PDF attachments are named “Secured_Doc-” followed by a reference number that is unique to each email, which is also used in the email’s subject line. When the user opens this document, they are greeted with a message that claims to be from HR, along with a QR code that claims to provide access to an employment document. The attacker impersonates the HR department to establish a sense of authority, increasing the likelihood that the user will be lured into scanning the QR code. Although there are multiple ways to scan a QR code, most users gravitate towards using their smartphones which could be an attempt by the adversary to harvest more data about the victim from their phones. The bottom of the document contains a message that instructs the user not to share this email or the QR code with others, which is a tactic used by the attacker to prevent the victim from consulting colleagues or the IT department who might recognize the attempted social engineering attack. Fortra analyzed the QR codes and discovered that they contain a redirect URL that leads to a phishing landing page where the victim is further social engineered.
URL Inspection
- Redirect URL Domain: donostain.com
- O365 Phishing Domain: dalexglobal.com
- Analysis: After scanning the QR code, the user is redirected to a landing page that contains a fake Microsoft Identity Verification Check.
Threat Indicators
- Sender's Email: no-reply@timslatter[.]com
- Alternate Sender's Email: no-reply@finexstore[.]com
- Alternate Sender's Email: no-reply@kosmosrentcar[.]com
- Alternate Sender's Email: no-reply@prosoccerstore[.]co
- Email Subject: Confidential Document [Unique Reference Number]
- Alternate Email Subject: Signature Request on Document [Unique Reference Number]
- PDF Attachment's Name: Secured_Doc-[Unique Reference Number]
*The unique reference number refers to a unique number included in every email observed in this campaign, where this number is used by the attacker in both the email subject line and the attachment’s name.
Learn more about how to protect your organization from digital threats with Fortra's digital risk protection solutions.