- Crooks uses links to encourage victims to click
- The links redirect the victims to a false page of destination Microsoft 365
- The campaign has lasted for at least two months
The cybercriminals abuse Intermedia’s “Package of Links” to bypass email protections, create convincing phishing emails and, finally-steal the Microsoft 365 identification information. It is according to the cybersecurity researchers from Cloudflare, who have been watching such campaigns in the wild for at least two months.
The ProofPoint links’ writing service, known as URL defense, protects users by rewriting each incoming messaging link to browse the proofpoint inspection gateway before reaching the real recipient. When a person clicks on an e-mail link, it is evaluated in real time (including detonation and reputation checks of sandbox) and is only given access if the link is deemed safe.
But here is the capture: all the original URLs are integrated into the coded rewritten link (generally prefixed with “urldefense.proofpoint.com) which, as a secondary effect, creates a feeling of security with the recipients, which makes it more likely that they will really click.
Active campaign
The cybercriminals have been seen creating new destination pages that imitate the Microsoft 365 connection screen, and as such, are not yet reported by safety products. They would then shorten the URLs to these pages using popular URL shortcutors such as Bitly. The next step is to enter messaging accounts already protected by the evidence and use them to wrap the shortened URL.
The last step is to distribute the shortened and wrapped URL, often via the same messaging accounts that were compromised earlier.
Cloudflare says he has already seen several attacks, with crooks sending false notification emails by voicemail and shared false documents from the Microsoft teams. The victims who do not identify the attack go through a chain of redirects, landing on a page where they were asked for their Microsoft 365 connection identification information.
As a rule, links in emails must be carefully examined before being clicked, especially if emails have a feeling of urgency with them.
