Phishers are impersonating ProofPoint,in an attempt to make off with victims’ Microsoft Office 365 and Google email credentials.One such campaign lobbed at communications company, with nearly a thousand employees targeted just within that one organization.
The email claimed to contain a secure file sent via Proofpoint as a link.Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.
The email lure was a file purportedly linked to mortgage payments. The subject line, “Re: Payoff Request,” was geared to fool targets into thinking it was part of ongoing correspondence, which adds an air of legitimacy while also lending urgency to the proceedings.
Adding ‘Re’ to the email title is a tactic we have observed scammers using before .While users clicked on the “secure” email link embedded in the message, they were taken to the splash page with Proofpoint branding and the login spoofs.
Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft respectively.Both flows asked for the victim’s email address and password.
The email was sent from a compromised but legitimate email account belonging to a fire department in Southern France. This helped the phish evade detection by Microsoft’s native email security filters, which noted that the emails were marked with a spam risk level of “1.”marking not as spam.The phishing pages were hosted on the “greenleafproperties[.]co[.]uk” parent domain.
The domain’s WhoIs record shows it was last updated in April 2021. The URL currently redirects to ‘cvgproperties[.]co[.]uk.’ possibly a dummy site.
Attacks like these use social engineering, brand impersonation and the use of legitimate infrastructure to bypass traditional email security filters and users’ eye tests. To protect against such campaigns
- Be aware of social engineering:
- Shore up password hygiene: