A record spearphish surge continued into the second half of March, particularly via Microsoft and Outlook credentials targeted via fileshare platforms like SharePoint, OneDrive and Green Envelope. Additionally, phishing campaigns targeting users of financial services like Paypal, American Express, Chase Bank and Capital One also continued their trend. We saw a number of additional brands targeted like Netflix, but standing out was a viral Instagram phishing scheme. Below are some examples and highlights.

Phishing URLs

Here is a list of examples of phishing websites that we discovered that we recommend you update your threat intelligence with these URLs.

sec82[.]com[.]pl/login

xn--dxtt24e[.]domains/doc818373737292200208373/share8287373792092039/index[.]html

continue-authentication-0151[.]jotacicli[.]com[.]br

amsurtoaseixcsec[.]com

privatemessagie[.]de

abiautismtherapy[.]spaceexplorationinnovations[.]de/WCerH/

futurewebs[.]live/services[.]html

thebengalurucompetition[.]ct[.]ws/en/1

ywg[.]dwwrtw[.]ru

msgiss[.]de/invitation/login/Greenenvelope/

webfree[.]live/services[.]php

share1nv1te[.]com/POINT/

chcs[.]xyz/o/chaasee1/login

gklnl[.]com/chase[.]verify/login

Outlook Phishing via Files Shares

On March 17, a staff member at a California organization clicked the below Outlook spearphish shared with them via One Drive.

As often the case, links clicked outside the purview of corporate email routinely evade the traditional phishing security ecosystem.

A similar Outlook phishing link was clicked by an employee of a Texas organization, this time via Green Envelope, an online invitation platform.

The period saw a record surge in similar attacks via various message sharing applications outside of email. A few highlights are below, targeting users in Texas, Florida and Kentucky.

Viral Social Media Phishing

Standing out was an Instagram phishing attack that was clicked by a staff member at a Kentucky organization.

The attack follows a reported “voting scam” pattern, where compromised Instagram accounts send messages to contacts to “vote for them for a Google online influencer competition” (source).

As other social media campaigns we have tracked, this spread virally via Instagram’s native messenger app, again, outside the scope of traditional email protection. The hacker further used legitimate hosting infrastructure to launch the attack.

Financial Services Phishing

The same period extended the trend of phishing attacks on financial services, including Paypal “vishing” and stealthy Chase Bank phishing.

The Paypal phishing links included tracking parameters in the URL suggesting they were actually clicked in Google Ad campaigns.

Suggested Actions

• Block the specified domains on corporate firewalls and endpoint security solutions.
• Educate users about phishing risks in file sharing applications outside email like Share Point and One Drive
• Remind users of phishing risks for their personal accounts they access even if they are on corporate devices
• Educate users to find the valid support number for their financial service institution via Google and not to call the number provided on an unverified web page
• Enforce multi-factor authentication (MFA) on all corporate logins to reduce the risk of credential compromise.

 If you would like a demo of Pixm to learn more about our AI technology and how we can help protect your customers, sign up here. 

Questions or Feedback

PIXM Threat Research Team
[email protected]