New phishing campaign targets enterprise cloud services
Campaign impersonates help desk software to try and steal enterprise cloud credentials
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A new phishing campaign which impersonateshelpdesk softwareto try and steal login credentials from enterprise cloud services includingMicrosoftAzure, Microsoft Dynamics and IBM Cloud has been observed in the wild.
As reported byBleepingComputer, the news outlet recently analyzed phishing messages from the campaign to find that they use similar wording to real IT helpdesk services while pretending to be from a site called “servicedesk.com”.
The emails used in the campaign imitate a “quarantined mail” notification, which are sent out by security products and spam filters, and asks the recipient to “release” messages stuck in the queue. While the address listed in the email makes it appear the message comes from “noreply@servicedesk.com”, the attackers actually sent their phishing messages through “cn.trackhawk.pro” which served as an intermediary domain.
In an effort to more easilybypass email filters, the service desk domain is used in both the from and received header of the campaign’s phishing emails. This means that the attackers either compromised servicedesk.com’s mail servers or they injected the text “Received: form servicedesk.com” into the header to appear more credible.
Enterprise cloud services
The cybercriminals behind this new phishing campaign used IBM Cloud Hosting, Microsoft Azure and Microsoft Dynamics to host their landing pages in order to make them appear more legitimate. Additionally domains hosted on Azure or IBM cloud also get freeSSL certificatescontaining these companies' names which also helps improve the campaign’s legitimacy.
After opening one of these phishing emails, a user will see two buttons labeled “RELEASE MESSAGES” and “CLEAN-UP CLOUD”. When a user clicks on one of these buttons, it will bring them to a legitimate Microsoft Dynamics 365 URL. This URL then redirects them to an IBM Cloud domain that is used to host the phishing landing page.
If a user enters aweak password, the landing page will give them a “wrong password!!” error. However, entering a long and complex password redirects the user to another fake page confirming the settings update host on Azure’s hosting domain, windows.net. This malicious page then redirects the user to a website linked to their email address domain.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
This new phishing campaign is particularly dangerous because once a user gives up their enterprise cloud credentials, an attacker can gain access to their organization’s corporate network.
ViaBleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
5 must-have Android apps
