On Tue, 23 Feb 2021, Ricky Boone wrote:
Seeing an interesting phishing campaign that appears to be
personalizing components of the message and URL endpoints to
potentially get around blacklists and other filters. Unfortunately I
can't share the exact example publicly without effectively recreating
the email, but here's a summary of what I'm finding.
* Victim email address domain without TLD in the From and Subject
headers (i.e., if victim domain was widgetltd.com, "Widgetltd" would
be used)
* Message contains a link with the local-part of the victim's email
address as a subdomain (i.e, if victim's email address was
"jane....@widgetltd.com", the attacker host would appear as
"jane.doe.badactordomain.xyz"), as well as the full version of the
victim's email address base64 encoded as a query string value (using
the previous example,
http://jane.doe.badactordomain.xyz/?amFuZS5kb2VAd2lkZ2V0bHRkLmNvbQ==/0
)
That shouldn't be too hard to write rules for. Again, whether or not there
are any examples in the masscheck corpora control whether or not the rule
will be scored and published (unless we manually push it).
Potentially interesting, but not necessary distinctive:
* Examples I'm seeing have nearly blank message, and an HTML
attachment with a JavaScript window.location.href redirect related to
the attacker URL.
Another spam sign.
* Attacker is leveraging SendGrid
What sender ID? (the numeric and punctuation part of the envelope from
address)
Are you using the abusive sendgrid user plugin or my download-based rule
generator?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim XI: Everything is air-droppable at least once.
-----------------------------------------------------------------------
269 days since the first private commercial manned orbital mission (SpaceX)
