Experts spotted a phishing campaign impersonating security firm Proofpoint

Threat actors are impersonating cybersecurity firm Proofpoint to trick victims into providing Microsoft Office 365 and Gmail credentials.

Cybercriminals are impersonating the cybersecurity firm Proofpoint to trick victims into providing Microsoft Office 365 and Google Gmail credentials. The phishing messages use mortgage payments as a lure, they have the subject “Re: Payoff Request.”

“The email claimed to contain a secure file sent via Proofpoint as a link.” reads the post published by Armorblox. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.”

Upon clicking the email link embedded in the message, the victims are redirected to a splash page with Proofpoint branding.

The phishing message was sent from a legitimate individual’s compromised email account. The sender’s domain (sdis34[.]fr) was a department of fire rescue in Southern France.

Clicking on the Google and Office 365 buttons led the victims to specially crafted Google and Microsoft phising pages that asked for the victim’s credentials.

The phishing pages were hosted on the “greenleafproperties[.]co[.]uk” domain, which was updated in April 2021. The URL has currently redirected to ‘cvgproperties[.]co[.]uk.’

Below are the key findings for this campaign:

Social engineering: The email title and content aimed to induce a sense of trust and urgency in the victims – a sense of trust because the email claimed to contain a file sent by Proofpoint, and a sense of urgency because it contained information on mortgage or other home-related activities.
Brand impersonation: The email and landing page both spoof Proofpoint. The login pages for Google Workspace and Office 365 are also replete with the branding of the respective email providers.
Replicating existing workflows: The context for the email attack replicates workflows that already exist in our daily lives (email notifications when files are shared online). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
Using compromised email address: The email was sent from an individual’s compromised email account belonging to a French fire rescue department.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.