Details were released regarding an ongoing phishing campaign that targets Office 365 accounts of business executives to steal login credentials. Security researchers identified the threat actors dubbed “Water Nue,” targeting business executives of over 1,000 companies across the world since March 2020. The threat actor primarily targets the accounts of financial executives to obtain credentials and be used for further financial fraud. The threat actors use cloud-based email distribution services such as SendGrid to deliver emails that contain a malicious link, pretending to be from a voicemail service. When the victims click the link, the victims are redirected to a cloned Office 365 sign-in page. Once the credentials were entered, the account information is sent to the threat actor through a PHP script.
In July 2020, researchers observed a phishing email that was sent to a C-level executive and identified that the base domain URL that was used by the threat actors is U10450540[.]ct[.]sendgrid[.]net, with the final URL identified as “getting-panes[.]sfo2.” Additionally, “Swiftme,” possibly a reference to electronic or wire transfers, appears in the phishing email headers and is accompanied by account names with forged company email domains. According to researchers, the BEC mail sample that was obtained is using the same unspecified IP address that is used in the campaign. At the time of writing, the phishing campaign has collected more than 800 credentials from different company executives and the threat actors are switching to new infrastructures when used domain names get reported or blacklisted on the targeted systems.
Nuspire recommends organizations use the following mitigation to help mitigate against the aforementioned campaign.
– Provide phishing and social engineering training to the employees
– Use reputable, Next-Gen antivirus solutions
– Maintain up-to-date antivirus signatures and engines
– Use a dedicated email service with strong malware filtering
– Verify the information, always mistrust emails, and advertisements
– Use password managers and enforce multi-factor authentication (MFA) to employee accounts
– Enforce a strong password policy and implement regular password changes
The following indicators of compromise were released with the researcher’s findings.
Threat actors managed C&C URLs: