Information gained in lower level attacks is used to ramp up and hone in on higher dollar targets. One stolen password may not correspond to a direct attack to the user, but that stolen password (and the information gained from the compromised account) could result in millions of dollars lost from that user’s employer years later.
Part of what makes this particular email so interesting is that it showcases just how multiple attack victims (likely accumulated by the cybercriminals over time and gained through different scams, phishes, and attacks) can be used to build bigger and more successful attacks. It is also part of a late-2020 trend: Microsoft is the most frequently mimicked brand in phishing attacks.
The resolution to this story is mixed.
Many users clicked to access their “Secure Message” and provided their login information to criminals. Not only was the sender’s account information stolen and used for the criminal’s own ends, but clearly the criminal (and their team) also performed a similar attack on the STEM site’s personnel to gain access to their website’s backend, and without alerting them, created the fake login honeypot.
The URL was eventually flagged for phishing and malicious activity, and many browsers now block access to that address, preventing further use of that particular trap. The client who encountered the phish had passwords reset by the Anderson Technologies team and their accounts remain closely monitored.
But the question remains: Would you click?