IDENTIFYING BEC AND PHISHES
Examine the Sender
Depending on your email client, the full name and email address of the sender may or may not be immediately viewable. If you need to, click to expand the information displayed. Check that the name matches what you’d expect from this sender, and closely examine the email address for typos or gibberish.
In this case, everything looks to be on the up-and-up.
Check the Body Text
In the past, poor spelling and badly-translated grammar were often easy giveaways that a scam email was a scam. Now, email scammers often smooth out these errors. If you know the supposed sender well, however, you may still be able to identify when phrasing and certain words just don’t fit.
This email doesn’t have a lot of text to go on, but one clue that might be missed on a quick look is that the sender’s name (anonymized here) is spelled just slightly wrong.
Do Not Click
At this point, enough red flags have been raised to drop everything and forward the message to your IT team, flag it as spam/phishing, and give the sender a call to question the email, and in this case, inform them that their account has been compromised.
If you were to click, you would be taken to a mock-up of an Office 365 login page. The graphics would be a little stretched, and the logo not quite right. If you did enter your login information on this page, you wouldn’t be taken to a secure message, but you WOULD have just handed your login and password to criminals, who would then repeat this scam with outgoing messages from your own account, putting all of your contacts at risk of the same fate.
Information gained in lower level attacks is used to ramp up and hone in on higher dollar targets. One stolen password may not correspond to a direct attack to the user, but that stolen password (and the information gained from the compromised account) could result in millions of dollars lost from that user’s employer years later.
Part of what makes this particular email so interesting is that it showcases just how multiple attack victims (likely accumulated by the cybercriminals over time and gained through different scams, phishes, and attacks) can be used to build bigger and more successful attacks. It is also part of a late-2020 trend: Microsoft is the most frequently mimicked brand in phishing attacks.
The resolution to this story is mixed.
Many users clicked to access their “Secure Message” and provided their login information to criminals. Not only was the sender’s account information stolen and used for the criminal’s own ends, but clearly the criminal (and their team) also performed a similar attack on the STEM site’s personnel to gain access to their website’s backend, and without alerting them, created the fake login honeypot.
The URL was eventually flagged for phishing and malicious activity, and many browsers now block access to that address, preventing further use of that particular trap. The client who encountered the phish had passwords reset by the Anderson Technologies team and their accounts remain closely monitored.
But the question remains: Would you click?