A high-level executive at Outpost24, a Swedish company specializing in exposure management and identity security, recently fell victim to a sophisticated phishing attack, according to a report by Specops Software, a subsidiary of the company.
Advanced Phishing Techniques Employed
The attack utilized a newly identified phishing-as-a-service platform, known as Kratos, to craft a multi-layered seven-step attack chain. This approach used legitimate services and layered infrastructure, making it difficult to detect and effectively deceive the target.
The phishing email, which impersonated JP Morgan, was cleverly inserted into an ongoing email conversation to enhance its authenticity. The email urged the recipient to review and sign a document, increasing the likelihood of interaction.
Utilization of Legitimate Services
To ensure the email’s credibility, attackers employed two DomainKeys Identified Mail (DKIM) signatures, which allowed the email to pass DMARC authentication checks. The message contained a link to a document hosted on Cisco’s secure-web.cisco.com domain, which is a legitimate domain typically used for URL validation.
The email successfully bypassed Cisco’s Secure Email Gateway, as the redirect URL was hosted on Cisco’s own infrastructure. This setup allowed the phishing email to evade detection systems more easily.
Complex Redirection Chain
Subsequent to the Cisco redirect, the target was directed to Nylas, a legitimate email API platform, further ensuring the link passed security checks. The attackers then redirected the target through a series of legitimate domains, including one from an Indian development company and another originally registered by a Chinese entity, which had been re-registered specifically for this campaign.
The final redirection led to phishing infrastructure concealed by Cloudflare, where victims encountered a browser validation check, likely intended to thwart security analysis. Ultimately, a counterfeit phishing page was served, designed to harvest Microsoft 365 credentials.
Specops Software noted that this step was meticulously crafted, featuring animations mimicking Outlook and checks to verify the authenticity of email inputs. The site attempted to log in using the captured credentials to ensure their validity.
Implications and Attribution Challenges
This attack underscores the sophistication and complexity of modern phishing attempts targeting high-profile individuals. While Specops Software did not specifically attribute the attack to any known threat actors, they noted similarities with tactics used by Iran-linked groups targeting US entities.
However, other hacking groups are known to employ similar strategies, making definitive attribution difficult. The incident highlights the evolving nature of phishing tactics and the need for continued vigilance in cybersecurity practices.
