Overview
Over the past two weeks, we observed a rise in phishing activity targeting Microsoft, Google, and Yahoo accounts. Attackers leveraged techniques to flank corporate email protection, like using non-email messenger apps and filesharing tools. They also put geographically targeted content into the URLs to increase their credibility to their target organizations. Below are key highlights and examples.
Phishing URLs
Here is a list of examples of phishing websites that we discovered that we recommend you update your threat intelligence with these URLs.
office365[.]dicoveryeducation[.]com/learn/videos/b4e519a8-c021-463a-b1bd-3a5d94e356c/
yc[.]mangropo[.]ru/RRMXKEXBJGRwc1rxzs03tm6y?PYHYYCKWANKEAJBW
kyschools[.]hostingclouddocs[.]com/aFS2u/
earley.hostingclouddocs.com/luh0G/
voicemailreceived[.]surge[.]sh/
a5nip2p6bz[.]loclx[.]io/login[.]html
celeberatewwithus[.]de/johs/invite/Yahoo[.]html
page[.]sign-in[.]attack-securecurrently[.]50-6-205-107[.]cprapid[.]com/security-check/signin/pwd
zoomnetoffice[.]store
unblocker[.]chesse[.]ip-ddns.com/
7f4f54-cloud[.]webnotifications[.]net/6448adaa99…
Microsoft Credential Harvesting Campaign
On February 5, a staff member at a Kentucky organization clicked a spearphishing link:
Hosted on Russian infrastructure, the link content suggests the use of a domain generator algorithm used to rapidly spin up and down similar websites.
Between February 6 and February 13, six additional staff members at another organization in Kentucky fell victim to a similar phishing attack:
This attack included ‘kyschools’ in the domain to give credence to school-affiliated users in the region. An additional instance was observed when a different staff member at the same organization clicked: earley[.]hostingclouddocs[.]com/luh0G/. The reference to a cloud-based file service suggests the attack likely leveraged a fake document-sharing prompt to steal credentials.
Instagram Phishing Attacks
On February 9, a staff member at a Georgia organization clicked a phishing link impersonating Instagram:
This attack was likely clicked in Instagram’s native messenger app, falling entirely outside the scope of traditional security architecture.
Similar cases targeting personal accounts were observed targeting Yahoo and Google accounts on work devices.
Yahoo Credential Harvesting
On February 12, a staff member at a Kentucky organization clicked a spearphishing link mimicking a Yahoo login page:
Even five days later, the attack remained undetected by VirusTotal. Additionally, on the same day, another phishing link targeting Yahoo users was clicked:
Google Account Phishing
On February 12, a phishing attack targeting Google accounts was clicked by a staff member in Kentucky:
The URL structure suggests an attempt to mimic a security alert or cloud-based notification, increasing the likelihood of engagement.
Suggested Actions
- Block the specified domains on corporate firewalls and endpoint security solutions.
- Increase awareness on credential phishing targeting personal applications like Instagram, Google, and Yahoo logins.
- Enforce multi-factor authentication (MFA) on all corporate logins to reduce the risk of credential compromise.
If you would like a demo of Pixm to learn more about our AI technology and how we can help protect your customers, sign up here.
Questions or Feedback
PIXM Threat Research Team
threats@pixmsecurity.com
Recent Comments