- Attackers abused Mimecast’s URL rewriting feature to hide malicious links in phishing emails.
- More than 40,000 emails were sent to more than 6,000 organizations, including in the consulting and technology sectors.
- The campaign bypassed filters globally, with most victims in the United States, although Mimecast says no loopholes exist.
Cybercriminals are abusing a legitimate feature of Mimecast to send convincing phishing emails to their victims, at scale.
This is according to cybersecurity researcher Check Point, which claims to have seen more than 40,000 such emails sent to more than 6,000 organizations around the world, in just two weeks.
First, scammers would create messages that closely resemble email notifications from reputable brands (SharePoint, DocuSign, or other e-signature notices), paying attention to details such as logos, subject lines, and display names. Nothing in the messages stands out from routine notification emails.
Targeted consulting, technology and real estate
At the same time, they would create phishing landing pages that capture credentials or deliver malware. These URLs are wrapped behind one or more legitimate redirecting and tracking services, in this case – Mimecast.
Because this service rewrites links to route them through a trusted domain, attackers submit their malicious links so that the final email displays a Mimecast domain instead of the actual destination.
As a result, phishing emails manage to bypass email security solutions and filters and land directly in their victims’ inboxes.
Check Point says many sectors have been affected by this campaign, but a few – where the exchange of contracts and invoices is an everyday thing – have been particularly hard hit. These include consulting, technology and real estate. Other notable mentions include healthcare, finance, manufacturing, and government.
The majority of victims are in the United States (34,000), followed by Europe (4,500) and Canada (750).
Mimecast emphasized that this was not a vulnerability, but rather a legitimate feature that was being abused.
“The attacker campaign described by Check Point exploited legitimate URL redirection services to hide malicious links, not a vulnerability in Mimecast. The attackers abused trusted infrastructure – including Mimecast’s URL rewriting service – to hide the true destination of phishing URLs. This is a common tactic in which criminals exploit any recognized domain to evade detection.”
Via Cybernews
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
