Threat Insights 0x27: A Smuggler’s Tale

Smuggling credentials out

This phishing email aims to masquerade as a sales contract that a client has supposedly requested. It pressures the recipient to make necessary corrections and verify all details prior to processing the payment, creating a sense of urgency to entice the recipient into opening the attached files.

When opened, the HTML attachment builds a "Adobe Cloud Storage" credential harvesting form hosted on the recipient’s local machine. Entering a password and clicking “View” will send the login credentials to a third-party server controlled by bad actors.

Password expiration

This email deceptively claims to originate from the recipient's email service provider, urging them to click a link to prevent their mailbox from being deactivated within 48 hours due to an expired password.

However, the link actually directs them to a phishing site aimed at stealing their credentials.

DocuSign impersonation

This deceptive email is crafted to look like it’s from DocuSign, suggesting that the recipient has a document that is ready for their examination.

However, clicking the "Preview Document" button leads them to a malicious site designed to harvest their login information.

IOCs

Keep up with threat insights

Threat Insights is a weekly series where we present you with analysis from samples we collect. Follow us on social media for the latest feed and cybersecurity content. Stay informed and stay safe!

Get more insights like this