A C-level executive at Swedish exposure management and identity security firm Outpost24 was targeted in a sophisticated phishing attack, the company’s subsidiary Specops Software reports.
The attack, likely mounted with a recently identified phishing-as-a-service kit named Kratos, relied on a seven-step chain that leveraged layered infrastructure and legitimate services to evade detection and deceive the recipient.
The phishing message, impersonating financial services provider JP Morgan, appeared as if part of an existing email thread to increase its sense of legitimacy, and invited the recipient to review and sign a document.
Furthermore, the attackers used two DomainKeys Identified Mail (DKIM) signatures to ensure the email would pass DMARC authentication and appear trustworthy.
Within the message, the attackers included a ‘review document’ link pointing to the legitimate Cisco domain secure-web.cisco.com, which is typically used for rewriting URLs in emails after they have been validated by Cisco.
Because the link passed Cisco’s Secure Email Gateway validation, the redirect URL was hosted on Cisco’s infrastructure, further allowing the phishing email to bypass detection systems.
The next step in the chain involved a redirection to the legitimate email API platform Nylas, which was likely used to ensure that the phishing link would redirect through Cisco Secure Web infrastructure.
“By chaining redirects through legitimate services such as Cisco and Nylas, the attackers increase the likelihood that the link will pass security filtering and reputation checks. These domains are widely trusted and commonly observed in legitimate traffic, which makes automated blocking more difficult,” Specops notes.
Next, the target was redirected to a subdomain on the website of a legitimate development company based in India, and then to a domain that was originally registered in 2017 by a Chinese entity.
The domain’s previous TLS certificate expired on March 6, the associated DNS records were released shortly after, and the domain was re-registered on March 12, with several new TLS certificates issued for it the same day.
“The timing strongly suggests the domain was reacquired and repurposed specifically for this campaign,” Specops notes.
The user was redirected once again, this time to phishing infrastructure that was deployed behind Cloudflare to hide its origin server. At this stage, the victim was served a browser validation check, likely meant to prevent security analysis.
Finally, the victim would be served a convincing phishing page meant to harvest Microsoft 365 credentials.
“Like the rest of the attack chain, this step is also carefully constructed, from a fake loading animation imitating Outlook to a check that validates whether the user input is actually an email. As the final step, the site attempts a legitimate login to verify that the captured credentials are valid,” Specops explains.
The cybersecurity firm confirmed to SecurityWeek that the individual targeted in this attack was a C-level executive at its parent company Outpost24, underlining the sophistication of the attack.
Specops did not attribute the incident to a specific threat actor but noted that the modus operandi aligns perfectly with that of Iran-linked threat actors that recently targeted various entities in the US.
On the other hand, the firm said, other hacking groups have been observed employing similar tactics, and attribution remains elusive.
Related: Internet Infrastructure TLD .arpa Abused in Phishing Attacks
Related: Tycoon 2FA Phishing Platform Dismantled in Global Takedown
Related: LastPass Warns of New Phishing Campaign
Related: ‘Stanley’ Malware Toolkit Enables Phishing via Website Spoofing
