The emails in these campaigns involve the team collaboration software Microsoft SharePoint.įigure 6. Researchers also found phishing campaigns exploiting the image editing site Canva, the infographic and chart maker Infogram, and the brand template platform Lucidpress. The email subjects also follow a pattern, as seen in these sample subjects: It uses Windows on a hosting provider and is linked to other senders of the phishing emails. Researchers identified the sender’s IP address, which they discovered to be an open Remote Desktop Protocol (RDP) port. Email header analysis indicating SPF and DMARC verifications The email sender is possibly hacked, and the compromised account is used to send phishing emails.įigure 5. The prompt to reenter credentials Email header analysisīased on their email headers, the emails pass Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) verifications. The prompt to download or preview the documentĪfter clicking the “Download or Preview Here” link, users are led to a phishing page that masquerades as a Microsoft account login page.Īfter entering their account credentials, users will be informed that an incorrect account or password was entered, prompting them to reenter their credentials.įigure 4. On that page, users are prompted to click the link to download or preview a document that has apparently been shared using “Secured Microsoft Azure for OneDrive Cloud.”įigure 2. The phishing emails contain a link that leads to a page on Evernote. And it is this sharing feature that is exploited by threat actors to spread malicious PDF files via phishing emails.įigure 1. Evernote notebooks can be shared within the platform and through public links.
0 kommentar(er)
