Credential Spear-Phishing Campaign Sneaks Past Security Filters Into 75K Inboxes

A spoofed Zix encrypted email has slipped past spam and security controls across Office 365, Google Workspace, Exchange, Cisco ESA, and others right into almost 75K inboxes, in a vast credential spear-phishing campaign.

Armorblox researchers have detected an active credential spear-phishing campaign spoofing an encrypted Zix email, which comes from a seemingly legitimate domain associated with the Baptist religion.

At least, the hacker is launching the phishing attack from “thefullgospelbaptist[.]com”: a domain that could be an old version of a genuine Baptist domain, fullgospelbaptist[.]org, which is a religious organization established in 1994.

In a Tuesday post, researchers noted that, so far, the fake-Zix encrypted email has targeted almost 75,000 inboxes and has evaded detection by embedded spam and security filters across Office 365, Google Workspace, Exchange, Cisco ESA and others.

The spear-phishing campaign is directed at companies across sectors such as state and local government, education, financial services, healthcare, and energy, selectively targeting senior executives and cross-departmental employees.

Amrmorblox experts discovered that the threat actor is cherry-picking potential victims, selecting no more than one employee in any single department. This is probably to avoid the “Hey, did you get this weird email?” chat among co-workers.

The Spear-Phishing Campaign Uses A Bogus Zix Email

Zix is a big name on the email encryption market, amongst other key players such as Cisco Systems, trend Micro, Proofpoint, Sophos, and Norton.

Leveraging the name recognition alone helps the malicious email pass a sniff test it should typically fail. In addition, the email attack also uses a handful of methods to evade traditional security filters and to “pass the eye tests of unsuspecting end users,” Armorblox explained, including social engineering, exploiting a legitimate-looking Baptist domain, and replication of existing workflows.

The subject header is “Secure Zix message.” The email body’s header repeats the deceiving title and tells the target that they’ve received a secure Zix message. Click on the “Message” button to check it out, the email instructs.

In the below images, you can see a genuine Zix secure message and a fake notification. They aren’t identical, but they’re close enough to fool an unsuspecting user.

Bad Guys Want Selected Emplyees To Click On “Message”

Clicking on the “Message” link contained in the email will launch an attempted drive-by download of an HTML file named “securemessage.” Unfortunately, Armorblox researchers weren’t able to open the file in their virtual machine (VM) instance since that’s not where the redirect appeared. Fortunately, when researchers wrote up the spear-phishing campaign, most site blockers were putting up a block page to prevent infection.

Armorblox offered a few examples of the bad guys’ preferred prey: For instance, one of the SLED (state and local government and education) organizations that Armorblox counts as customers saw an attack in which the hit list included the CFO, a director of operations, a director of marketing and a professor.

Second example: The credential spear-phishing campaign targeted a wellness business, going after the senior vice president of finance and operations, the president, and a utility email alias (member.services@company[.]com).

In regards to the apparently random spread, the researchers theorized that the scammers might have intentionally selected their targets “to be across departments and to contain a good mix of senior leadership and individual contributors.”

Also, the attackers may have targeted people who don’t tend to turn to each other if they receive a suspicious email, Armorblox explained.

Sneaky Techniques

Armorblox’s team summarized the cunning techniques that the spoofed Zix email spear-phishing campaign is using to evade conventional email security filters and vigilant eyes:

• Social engineering: The title, design, and content of the email is intended to induce trust and urgency in the targets – a sense of trust because the email pretended to be from a reputable company (Zix), and a sense of urgency because it told the victim that they were sent secure message. The strategy of this attack also preys on the curiosity factor.

It’s not hard to see why receiving an email that somebody did all the work to encrypt could stimulate recipients’ curiosity. A May 2021 report from Security Advisor uncovered that the curiosity effect has shown up as one of the top three cognitive biases to be taken advantage of in phishing attacks, appearing in 17% of them.

• Brand impersonation: The spoofed email has HTML stylings and content disclaimers resembling genuine emails from Zix.
• Exploiting a legitimate domain: The parent domain of the email sender was an old version of a legitimate domain – ‘thefullgospelbaptist[.]com’. This helped the email sneak past authentication checks.

Armorblox’s Abhishek Iyer said that using legitimate (if unrelated) domains to send emails “is more about tricking security controls (i.e., bypassing authentication checks) than it is about tricking recipients, especially if the domains are not spoofed to look like the real thing.”

“Whether these domains are used to send the email or host the phishing page, the attackers’ intent is to evade security controls based on URL/link protection and get past filters that block known bad domains,” Iyer added.

Obviously, the Baptist organization had no connection to the spear-phishing campaign, according to Iyer. “To host phishing pages on legitimate domains, attackers usually exploit vulnerabilities in the web server or the Content Management Systems (CMS) to host the pages without the website admins knowing about it.”

• Replicating existing workflows: The context for the email attack copies workflows that already exist in our daily work lives (getting encrypted email notifications). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action. The email content even had every victim’s first name filled in to add to the feeling of legitimacy and the chances of follow through.

“Security awareness training programs require us to operate in the System 2 mode of thinking, encouraging us to be suspicious of emails we receive,” Armorblox co-founder Arjun Sambamoorthy recommended in a post earlier this month.

Phishing Is Becoming More Difficult To Spot

“Everyone wants to believe that they wouldn’t fall victim to typical phishing scams. However, the truth is that these methods of intrusion are getting harder to spot as cybercriminals become more savvy with their tactics. Cybercriminals continue to build on trickier spear-phishing strategies that rely on brand-new techniques and even more deceitful tricks that can catch even the most discerning person unaware.” —Troy Gill, Threatpost InfoSec Insider column.

Prepare Your Employees With ATTACK Simulator’s Phishing Simulations

Thinking you’ll dodge the bullet (or hook)? Think again. Figures paint a rather grim cybercrime landscape.

Phishing attacks can be catastrophic, resulting in immense financial damage or even the end of your business.

You need security awareness training for your employees for many reasons:

• To prevent cyberattacks and breaches
• To strenghten your technological defenses
• To attract more customers
• To make you more socially responsible
• To empower your employees
• To meet compliance standards
• To prevent downtimes and maintain a good reputation

Our realistic phishing simulations will expose your employees to life-like hands-on fake phishing attacks.

Here are some awesome perks of choosing us:

Everything being said, would your employees take the bait? Put them to the test with our free security awareness training trial and know for sure!

Sources:

ThreatPost Credential Spear-Phishing Uses Spoofed Zix Encrypted Email

IT Security News Credential Spear-Phishing Uses Spoofed Zix Encrypted Email

Attribution:

Feature Image: Photo by Cast & Spear on Unsplash