Pierluigi Paganini November 07, 2021

Threat actors are impersonating cybersecurity firm Proofpoint to trick victims into providing Microsoft Office 365 and Gmail credentials.

Cybercriminals are impersonating the cybersecurity firm Proofpoint to trick victims into providing Microsoft Office 365 and Google Gmail credentials. The phishing messages use mortgage payments as a lure, they have the subject “Re: Payoff Request.”

“The email claimed to contain a secure file sent via Proofpoint as a link.” reads the post published by Armorblox. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.”

Upon clicking the email link embedded in the message, the victims are redirected to a splash page with Proofpoint branding.

The phishing message was sent from a legitimate individual’s compromised email account. The sender’s domain (sdis34[.]fr) was a department of fire rescue in Southern France.

Clicking on the Google and Office 365 buttons led the victims to specially crafted Google and Microsoft phising pages that asked for the victim’s credentials.

The phishing pages were hosted on the “greenleafproperties[.]co[.]uk” domain, which was updated in April 2021. The URL has currently redirected to ‘cvgproperties[.]co[.]uk.’

Below are the key findings for this campaign:

• Social engineering: The email title and content aimed to induce a sense of trust and urgency in the victims – a sense of trust because the email claimed to contain a file sent by Proofpoint, and a sense of urgency because it contained information on mortgage or other home-related activities.
• Brand impersonation: The email and landing page both spoof Proofpoint. The login pages for Google Workspace and Office 365 are also replete with the branding of the respective email providers.
• Replicating existing workflows: The context for the email attack replicates workflows that already exist in our daily lives (email notifications when files are shared online). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
• Using compromised email address: The email was sent from an individual’s compromised email account belonging to a French fire rescue department.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]