Hackers have unleashed a new phishing campaign that uses overlay screens and email ‘quarantine’ policies to steal Microsoft Outlook credentials.
Security researchers from Cofense have discovered a new phishing scam in which hackers use the overlay screens on legitimate websites to lure their victims into revealing their Microsoft Outlook credentials. These credentials are then used by hackers for malicious purposes.
Cofense explained the new phishing scam in a blog post on Friday, says that this phishing scam specifically targets enterprise Microsoft Outlook credentials, and leverages email-quarantine policies to use an overlay screen tactic on top of legitimate company webpages to lure in victims.
This new campaign was discovered by Cofense when hackers successfully targeted an unnamed company, The phishing emails were carefully crafted clones of the official technical-support team email of the employee’s company with “Support” in the sender title and “Action Required” in the subject line. The emails claimed that the company’s email-security service had quarantined three valid email messages, blocking them from entering the inbox. The emails forced the victims into believing that the phishing emails which landed in quarantine inbox are safe.
The Quarantine emails folder temporarily stores emails that are suspected to be spam. They can then be reviewed and retrieved if necessary. While not a new lure for attackers, this proves to be effective, particularly in an enterprise environment where employees fear the impact of missed communications, researchers said.
The initial email said, the company’s email system “failed to process new messages in the inbox folder,” and “two valid email messages have been held and quarantined for deletion.” It asked the target to review the messages and recover their lost mail in the inbox folder – or they will be automatically deleted after three days.
The victim unsuspectingly retrieves the quarantined email and clicks of the link only to be presented with the employee’s legitimate company website with an Outlook email login screen. While the company webpage is legitimate, Cofense researchers found that attackers had added on an overlay screen with the credential request. The fake login panel said the employee’s Outlook sign-in timed out and asked them to input their credentials.
The quarantined email has only one big red flag: When a target hovers the mouse over the link in the email, “Review Messages Now,” it shows a suspiciously long URL.
Upon further analysis, researchers found that the phishing links used specific parameters to determine which webpage pull to use, and then deployed the fake login panel overlay on top. Depending on what company the threat actor is targeting, the link populates the address of the original recipient of the email.