Security researchers have uncovered a spear-phishing campaign that involves hackers sending malicious emails to CEOs, CFOs, CTOs, and SVPs at a large number of organisations, asking them to participate in a Doodle poll to reschedule an upcoming board meeting, with the emails linking to an Office 365 credential theft site.
According to researchers at security firm GreatHorn, this is a widespread spear-phishing campaign targeting senior executives at a large number of organisations across multiple industries and organisation sizes.
All emails that were sent by those behind the phishing campaign had the same email address listed in the “From” and “To” fields, mentioned “Meetings” as the display name, and used the subject line New message: [Company Name] February in-person Board Mtg scheduling (2/24/19 update).
“Purporting to be from the CEO of an organisation, the phishing attack claims that a planned board meeting needs to be rescheduled and requests participation in a poll to identify a new date,” the researchers said, adding that the destination site (that spoofed Office 365) remained unidentified by browsers as a malicious site.
Spear-phishing attacks to become more frequent
Phishing attacks have been among the major worries for organisations based in the UK as the same are being used by cyber criminals to infiltrate organisations’ IT networks, steal confidential enterprise and customer data, and to disrupt operations.
Last month, security firm Agari warned that a Nigeria-based cyber crime group called London Blue (which is well-known for carrying out Business Email Compromise (BEC) attacks on companies located in the United States, Spain, the United Kingdom, Finland, the Netherlands, Mexico and 76 other countries), had prepared a list of more than 50,000 corporate executives who it aimed to target with spear-phishing attacks in the near future.
The targeted executives are working at among the largest multinational corporations, several of the world’s biggest banks, large mortgage companies, and other small and medium companies across the globe, with over half of them being based in the United States.
While it is not known if the latest spear-phishing campaign has been orchestrated by London Blue, it has certainly been designed by hackers to steal Office 365 credentials of senior management executives (who have more access privileges compared to other employees) and use such credentials to log in to their corporate accounts.
“It is not surprising that the criminals behind this attack chose to redirect employees to a fake Microsoft 365 landing page: Microsoft remains the most impersonated brand by phishers because of its recognisability and popularity. Neither is it surprising that the emails arrived from senior officials within the companies, which is a common practice in BEC attacks: employees want to perform well at work and would recognise their bosses name as a trusted sender,” said Corin Imain, Senior Security Advisor at DomainTools.
“While involving employees in cybersecurity best-practice training course can certainly help to reduce the risks posed by phishing attacks, organisations should also consider more proactive methods to spot malicious domains before they strike, and should invest in an efficient, regularly updated email filtering system.
“We are unlikely to witness a decrease in this kind of attacks as long as they continue to be effective: there needs to be a conscious, collective effort to minimise their success in order to make them go out of fashion,” he added.