Proofpoint Phish Steals Office 365 & Google Email Credentials

by | November 8, 2021 | Cybersecurity News

A newly discovered phish ironically impersonates a cybersecurity firm to sneak past Microsoft defenses and steal login credentials. Talk about a wolf in sheep’s clothing.

Phish Masquerading as Cybersecurity Company

Cybercrooks are stepping up their game by impersonating security firm Proofpoint and harvesting Microsoft Office 365 and Google email users’ credentials.

Armorblox researchers spotted this malicious fakery targeting nearly a thousand employees within a global communications company. The organization’s name remains undisclosed.

“The email claimed to contain a secure file sent via Proofpoint as a link,” the team explained Thursday blog post. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.”

Using Mortgage Payments as Bait

The email lure was a file claiming to be linked to mortgage payments. The subject line, “Re: Payoff Request,” is designed to trick users into thinking it was part of ongoing correspondence, appearing more legitimate and trustworthy, while also making the requested action seem urgent.

“Adding ‘Re’ to the email title is a tactic we have observed scammers using before – this signifies an ongoing conversation and might make victims click the email faster,” according to the report.

Email spoofing a file-sharing notification from Proofpoint. Credit: Armorblox

If targets clicked on the “secure” URL embedded in the message, they were redirected to a spoofed Proofpoint login page.

“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively,” researchers wrote. “Both flows asked for the victim’s email address and password.”

Clicking the email link leads to a spoofed Proofpoint login page. Credit: Armorblox

Blending in With The Routine

The sneaky phish leverages workflows already present in many users’ daily activities (for example, getting email notifications when someone shares files with them via the cloud). Researchers explained how attackers were betting on recipients not questioning the fake messages too much.

“When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action,” according to the analysis.

The phish tricked victims with fake Office 365 and Google login pages.
Fake Office 365 and Google login pages. Credit: Armorblox

The emails were sent from a legitimate but hijacked email account belonging to a fire department in France. This helped the messages circumvent security filters and not get flagged as spam.

The credential-stealing pages were hosted on the “greenleafproperties[.]co[.]uk” parent domain.

“The domain’s WhoIs record shows it was last updated in April 2021,” researchers wrote. “The URL currently redirects to ‘cvgproperties[.]co[.]uk.’ The barebones website with questionable marketing [increases] the possibility that this is a dummy site.”

Tips On Dodging The Hook

Such attacks use cunning social engineering techniques, brand spoofing, and compromise legitimate domains to send out malicious emails to bypass email filters and the untrained eye of the average user. Regarding phishing prevention, Armorblox offered the following advice:

  • Beware social engineering – examine every email thoroughly: inspect the sender’s name, email address, language, and any inconsistencies within the message.
  • Enable MFA – use MFA (multi-factor authentication) wherever possible, for both work and personal accounts. Also, never recycle passwords.

Security Awareness Training Is A Must – Choose ATTACK Simulator

But, most important of all security anti-phishing measures, implementing security awareness training in your company should make it to the top of your priorities list.

You need security awareness training for your employees for many reasons:

  • To prevent cyberattacks and breaches
  • To strenghten your technological defenses
  • To attract more customers
  • To make you more socially responsible
  • To empower your employees
  • To meet compliance standards
  • To prevent downtimes and maintain a good reputation

Here are some awesome perks of choosing us:

  • Automated attack simulation – we simulate all kinds of cyberattacks: phishing, malware, ransomware, spear-phishing, identity theft, online privacy attacks, online scams etc.
  • Real-life scenarios – we evaluate users’ vulnerability to give company-related or pesonal data away using realistic web-pages.
  • User behavior analysis – we gather user data and compile it in extensive reports to give you a detailed picture of your employees’ security awareness level.
  • Malicious file replicas – our emails contain malware file replicas, to make the simulation as realistic as it can be.
  • Interactive lessons – if employees fail to recognize our traps and fall into one, they will be redirected to landing pages with quick reads on the best security practices.
  • We impersonate popular brands on our simulated phishing pages – the user will be more tempted to click on the URL or open the attachment in the email.

ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irreparable damage.


Threatpost Proofpoint Phish Harvests Microsoft O365, Google Logins

Armorblox A Pointed Spoof: Proofpoint Credential Phishing


Photo by David Clode on Unsplash

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.