Attackers are constantly testing new combinations of tactics to improve their success rates, such as a recently discovered and widespread phishing scam that uses layering and numbering techniques to hide its nefarious script and gain users' Microsoft Office 365 credentials, according to security services firm Fortra.
New phishing campaign targets O365
Attackers are targeting credentials to Microsoft's suite of general office products in recent attacks, Zachary Travis, a Fortra threat hunter, said on the company's website post Thursday.
By layering the payload in subterfuge and triggering deceptive steps, the phishing emails have evaded network detection and trick users into action.
To better understand this phishing campaign, Fortra researched incidents across 30 organizations across varying industries. The company said that more than 2,000 emails tied to this campaign have already been quarantined.
Researchers said the following polymorphic elements make the phish noteworthy:
-
Using financial terms in subject lines and sender names to create a false sense of urgency.
-
Composing unique strings in each email helps bypass security filters.
-
Nesting a message attached inside another message helps hide the phishing URL.
-
Obfuscating a base64-encoded script by burying it in an SVG file to mask its destination.
-
Launching a counterfeit Adobe-branded page to request and gain users' credentials under the pretense of accessing transaction documents.
-
Mimicking users' company branding to gain users' confidence that the request is authentic.
Travis said the research team built an email threat hunting rule designed to catch future versions of the campaign that necessitated including wildcard symbols to account for the changing character strings in the phishing attempts.
The ETH rule successfully flagged and quarantined 2,156 emails across 34 organizations, Fortra said in the blog. While many detection rules typically catch fewer than 100 messages, the catch speaks volumes about how extensive this campaign is.
PhaaS platforms intercept MFA codes
Last week, Fortra also reported that while Canadian phishing-as-a-service (PhaaS) platform LabHost that was targeting the nation's financial institutions was shut down last year, the phishing volume did not decrease as expected.
SheByte may be one of several that emerged as a direct replacement, offering a full suite of phishing services to cybercriminals, including phishing kits and subscriptions that permit affiliates to make an unlimited number of phishing attacks.
"SheByte initially offered many of the same features LabHost did, establishing themselves as the logical next platform for customers needing to find a new service," Max Ickert, Fortra senior threat researcher, said in the PhaaS profile posted to the company's website.
One of those features is access to the LiveRAT admin dashboard, which Ickert said is protected by premium anti-detection and allows scammers to monitor phished visitors in real time and intercept their multi-factor authentication codes, prompt them with security questions and more.
Fake sites that glom onto AI hype
PhaaS operators also sell impersonation "phish kits" to trigger financial fraud.
New York-based Memcyco, a digital risk protection company, reported observing phishing sites mimicking China's DeepSeek artificial intelligence model, according to a recent story on DarkReading.
The fraudulent DeepSeek AI sites aimed to deceive users curious about smaller, low-cost AI models into downloading malicious software or providing credentials.
Some of the impersonators intercepted login credentials in real time and took over users' accounts, distributed malware, and remoted into users' devices or enticed users with cryptocurrency scams and emptied their victims' crypto wallets.
"These attacks are especially dangerous when new, exciting and hyped-up tools are launched," Memcyco's CEO and co-founder, Israel Mazin, said in the story.
