Phishing Email Alerts
Catch of the Day: IONOS Phish
Chef’s Special: MS Consent Phish
Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.
I would be delighted to accept suspicious phishing examples from you. Please forward your email to firstname.lastname@example.org.
My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox. If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.
IONOS Phishing Attack
Here’s a phishing email that is allegedly from my web and email host that suggests I may be experiencing some sort of service interruption. The sending email address is obviously wrong for IONOS.
The Click Here link resolves to http://www.mail.ionos–email@example.com, which redirects to https://38-ww-6-z-5-cvtvxkp-4-h-8-pkghb-5-y-2-wd-1-wjmkqvoze.glitch.me/MvEuy9wLJPsscxmR6wvs-GiizYXnZiGwVj6XFFKJe-gil1lud6L7jd24WBwfpA-uqmWF3MZkYWlXAPjqaxu-g7bzukjJs43m8Bjshpl1.html?%24web_only=true&_branch_match_id=1017164317907915721&utm_medium=marketing&_branch_referrer=H4sIAAAAAAAAA8soKSkottLXz64yTikwLkmsyDZPtywwyc0vSC%2FQSywo0MvJzMvWT9XPjcww9rfwNUzPSwIAoi6t2TMAAAA%3Dfirstname.lastname@example.org
The use of ionos in the original URL disguises the actual domain of bob.maxhairfiber.com. The redirection goes to glitch.me. VirusTotal found these domains to be clean, at least on the first day.
Here is the landing page
This is a typical credential stealing exploit.
Rather than steal your user’s credentials, this latest attack takes the OAuth route to gain access to the victim’s mailbox. This gives cybercriminals continual access, regardless of whether the user is logged on or not.
We’ve seen a number of these kinds of phishing attacks over the last 12 months targeting mailbox access within Microsoft 365 and even posing as Coinbase. If you’re not familiar with these attacks, rather than trick the phishing victim into providing their Microsoft 365 credentials (which can easily be reset), the attack poses as a legitimate app and asks for application access to your mailbox (for reference, Outlook Mobile does this to facilitate continual access for your mobile phone to access your Microsoft 365 mailbox).
In a recent tweet from Microsoft Security Intelligence, a new App – simply entitled “Upgrade” – was identified asking for OAuth permissions that would allow attackers to create inbox rules, read and write emails and calendar items, and read contacts. It’s also noted that suspicious Inbox Rules are created by this access and appear to exfiltrate emails.
The pivotal point where the attack can be stopped is when the malicious app is asking for access. Educating users would help ensure they are aware that – other than something like Outlook Mobile or another legitimate application – no unexpected phishing email EVER needs access to their mailbox.