This morning we received a phishing mail containing a QR code. The mail caught our attention because it bypassed our spam filter and came straight into our inbox. Also, our company name “Zolder” was mentioned multiple times in the phishing mail, which indicates a more targeted campaign, although probably still highly automated.
Last year Zolder was active as an exhibitor at multiple security expo’s. As an attendant our contactinfo was stored in organizer’s platforms for instance offering networking possibilities amongst attendees. This also led to a lot of annoying spam. Mostly it involves unsolicited sales spam, but this e-mail today goes a bit further.
A screenshot of the phishing mail we received:
After scanning the QR-code and visiting the website link it redirects to, we noticed something interesting. We were redirected via the https://email.internationalsecurityexpo.com domain. This is a legit mailserver of some security expo we never attended, which in itself again caught our attention.
We found out that the mailserver of International Security Expo is vulnerable to a open-redirect. Meaning someone is able to craft a special URL which starts with the legit domain – and looks trustworthy that way – but then automatically redirects the visitor to another URL, by choice of the perpetrator. And in this case, this vulnerability is abused by the attackers, in order to redirect the victims to the URL gencellportal [dot] com.
This URL, again performs a redirect. This time it redirects to 7x01su43kpv8bci [dot] jfh31pv0ed [dot] ru domain. This page presents a Microsoft login page, including our company branding. The same company branding we have on our real Microsoft tenant.
Microsoft classifies the malicious domains to the Storm-1575 group, providing a Phishing-as-a-Service Platform. Their platform offers adversary-in-the-middle (AiTM) capabilities. This means that the attackers are proxying all the requests between the victim and Microsoft. A successful attack results in complete take over of the victims account, even if Multi-factor Authentication (MFA) is enabled.