Malicious actors commonly impersonate trusted brands in their phishing campaigns to lend credibility to their messages. In fact, over 51% of phishing attempts impersonated one of the 20 largest global brands. The latest research now shows how these cybercriminals are stepping-up their game — no longer just impersonating brands but leveraging legitimate services from those brands to deliver their payload.
The 2023 Phishing Threats Report shows this increase in phishing emails leveraging legitimate services provided by brands like LinkedIn and Baidu to send malicious links. Malicious actors have been using these services as redirects to their malicious websites in attempts to steal user credentials. This is in addition to utilizing legitimate email delivery services such as Sendgrid.
While the specific lure used in these campaigns can vary, a majority of phishing attempts were impersonating DocuSign using images like the below — in this particular instance, the attacker used sent an email with the subject line ‘Document shared for 552 Friday-August-2023 07:07 AM’.
Figure 1: PNG used in DocuSign impersonation email
As depicted above, the malicious actor used a PNG image of a seemingly legitimate DocuSign request that was hyperlinked to this popular Chinese search engine, Baidu:
which redirects to: hxxps://sfsqa[.]com/284aa1d677ad550714e793de131195df64e907d378280LOG284
The sender used a legitimate business domain; @ciptaprimayoga.com which appears to be an Indonesian battery company who was likely compromised. Using a legitimate domain allows the attacker to bypass security measures that look at the age of the domain, i.e. the creation date as part of its mitigation process.
Once the link is clicked, the recipient’s company via URL path is automatically represented on a customized Microsoft login page.
As part of our research, we clicked on the malicious link and a custom Cloudflare login page dynamically loaded the company logo and background image of the famous Cloudflare lava lamp wall.
Figure 2: Spoofed Microsoft credential phish using Cloudflare branding
After inputting credentials, which are harvested by the attacker — the website then redirects to Office.com.
Another commonly used service being abused for phishing emails is SendGrid as shown in the image below, where this email marketing company is being leveraged to send PayPal phone scams. Using SendGrid allows malicious actors to bypass traditional email security methods, such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) and lend credibility to their campaigns.
Figure 3: PayPal phone scam sent using SendGrid
This and similar scams attempt to get users to call the phone number listed that is routed to a call center where malicious actors are waiting to convince victims to install malware and steal bank information over the phone.
89% of email authentication doesn’t stop threats. With phishing tactics ever increasing and making their way into users' inboxes, it is more important than ever to reinforce cyber resilience into company culture and secure your organization against email-based threats.
Cloudflare Email Security uses advanced machine learning and Artificial Intelligence to uncover new tactics malicious actors are using to bypass traditional security and cloud email providers in real time. Request a free phishing risk assessment to see which phishing attacks your current email security systems may be letting through.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Get the 2023 Phishing Threats Report for complete findings on recent trends and recommendations for preventing successful attacks.
Threat Response Engineer, Cloudflare
After reading this article you will be able to understand:
Legitimate services are being used to send malicious payloads
89% of email authentication doesn’t stop threats
How preemptive email security uncovers new tactics that bypass traditional security