Seeing an interesting phishing campaign that appears to be
personalizing components of the message and URL endpoints to
potentially get around blacklists and other filters. Unfortunately I
can't share the exact example publicly without effectively recreating
the email, but here's a summary of what I'm finding.
* Victim email address domain without TLD in the From and Subject
headers (i.e., if victim domain was widgetltd.com, "Widgetltd" would
be used)
* Message contains a link with the local-part of the victim's email
address as a subdomain (i.e, if victim's email address was
"jane.doe@widgetltd.com", the attacker host would appear as
"jane.doe.badactordomain.xyz"), as well as the full version of the
victim's email address base64 encoded as a query string value (using
the previous example,
http://jane.doe.badactordomain.xyz/?amFuZS5kb2VAd2lkZ2V0bHRkLmNvbQ==/0
)
Potentially interesting, but not necessary distinctive:
* Examples I'm seeing have nearly blank message, and an HTML
attachment with a JavaScript window.location.href redirect related to
the attacker URL.
* Attacker is leveraging SendGrid
personalizing components of the message and URL endpoints to
potentially get around blacklists and other filters. Unfortunately I
can't share the exact example publicly without effectively recreating
the email, but here's a summary of what I'm finding.
* Victim email address domain without TLD in the From and Subject
headers (i.e., if victim domain was widgetltd.com, "Widgetltd" would
be used)
* Message contains a link with the local-part of the victim's email
address as a subdomain (i.e, if victim's email address was
"jane.doe@widgetltd.com", the attacker host would appear as
"jane.doe.badactordomain.xyz"), as well as the full version of the
victim's email address base64 encoded as a query string value (using
the previous example,
http://jane.doe.badactordomain.xyz/?amFuZS5kb2VAd2lkZ2V0bHRkLmNvbQ==/0
)
Potentially interesting, but not necessary distinctive:
* Examples I'm seeing have nearly blank message, and an HTML
attachment with a JavaScript window.location.href redirect related to
the attacker URL.
* Attacker is leveraging SendGrid