Mailing List Archive: Phishing campaign using email address to personalize URL

Phishing campaign using email address to personalize URL

Feb 23, 2021, 11:51 AM

Post #1 of 3 (321 views)

Seeing an interesting phishing campaign that appears to be
personalizing components of the message and URL endpoints to
potentially get around blacklists and other filters. Unfortunately I
can't share the exact example publicly without effectively recreating
the email, but here's a summary of what I'm finding.

* Victim email address domain without TLD in the From and Subject
headers (i.e., if victim domain was widgetltd.com, "Widgetltd" would
be used)
* Message contains a link with the local-part of the victim's email
address as a subdomain (i.e, if victim's email address was
"jane.doe@widgetltd.com", the attacker host would appear as
"jane.doe.badactordomain.xyz"), as well as the full version of the
victim's email address base64 encoded as a query string value (using
the previous example,
http://jane.doe.badactordomain.xyz/?amFuZS5kb2VAd2lkZ2V0bHRkLmNvbQ==/0
)

Potentially interesting, but not necessary distinctive:

* Examples I'm seeing have nearly blank message, and an HTML
attachment with a JavaScript window.location.href redirect related to
the attacker URL.
* Attacker is leveraging SendGrid

Re: Phishing campaign using email address to personalize URL [ In reply to ]

me at junc

Feb 23, 2021, 12:25 PM

Post #2 of 3 (321 views)

Permalink

On 2021-02-23 20:51, Ricky Boone wrote:

> * Examples I'm seeing have nearly blank message, and an HTML
> attachment with a JavaScript window.location.href redirect related to
> the attacker URL.
> * Attacker is leveraging SendGrid

i have local clamav signature to catch html attachment

inspiration from foxhole signatures, this is very simple to block

Re: Phishing campaign using email address to personalize URL [ In reply to ]

jhardin at impsec

Feb 23, 2021, 1:46 PM

Post #3 of 3 (321 views)

Permalink

On Tue, 23 Feb 2021, Ricky Boone wrote:

> Seeing an interesting phishing campaign that appears to be
> personalizing components of the message and URL endpoints to
> potentially get around blacklists and other filters. Unfortunately I
> can't share the exact example publicly without effectively recreating
> the email, but here's a summary of what I'm finding.
>
> * Victim email address domain without TLD in the From and Subject
> headers (i.e., if victim domain was widgetltd.com, "Widgetltd" would
> be used)
> * Message contains a link with the local-part of the victim's email
> address as a subdomain (i.e, if victim's email address was
> "jane.doe@widgetltd.com", the attacker host would appear as
> "jane.doe.badactordomain.xyz"), as well as the full version of the
> victim's email address base64 encoded as a query string value (using
> the previous example,
> http://jane.doe.badactordomain.xyz/?amFuZS5kb2VAd2lkZ2V0bHRkLmNvbQ==/0
> )

That shouldn't be too hard to write rules for. Again, whether or not there
are any examples in the masscheck corpora control whether or not the rule
will be scored and published (unless we manually push it).

> Potentially interesting, but not necessary distinctive:
>
> * Examples I'm seeing have nearly blank message, and an HTML
> attachment with a JavaScript window.location.href redirect related to
> the attacker URL.

Another spam sign.

> * Attacker is leveraging SendGrid

What sender ID? (the numeric and punctuation part of the envelope from
address)

Are you using the abusive sendgrid user plugin or my download-based rule
generator?

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim XI: Everything is air-droppable at least once.
-----------------------------------------------------------------------
269 days since the first private commercial manned orbital mission (SpaceX)