restalpine.blogg.se -

This attack could be particularly pernicious, since it apparently comes from a known contact, seems to be serious, and has a slight (but not too intense) whiff of urgency about it. This email was pretty good-looking that is, it did not contain any of the usual spelling, grammar, and usage mistakes that sometimes tip off the intended victim. The phishing emails all had links to the Adobe site, where credential harvesting links awaited the hapless victim. In each one, phishers created customized documents on and sent from hijacked accounts phishing emails with fake RFPs to known contacts. The following section contains three examples of Adobe Spark RFP attacks. Since we used fake credentials, we got a real Microsoft error. On our second login attempt, the phishing site tried to remain undetected by logging us into a real Microsoft site. Phishers are nothing if not clever and resourceful. The victim sees an error message, but the form captures their input anyway. INKY engineers got a fake error message the first time they entered fake credentials, but behind the scenes, that data had already been sent to the phisher. Three different credential harvesting forms appeared, depending on the email provider selected. The user was prompted to sign in with their email credentials to view the document. The malicious link went to a phishing site that impersonated Adobe. By placing it on Adobe Spark, the phisher avoided detection because the only link that appeared in the phishing email was a reputable URL that most email security vendors view as safe. It turns out, episodeabstract com was a recently created domain controlled by the phisher.Īnd the malicious link appeared in several threat intelligence feeds. If the target was sophisticated enough, they might have hovered over the white “VIEW RFP DOCUMENT” button and seen the malicious link: Clicking the link would take the victim to a customized document on Adobe Spark like the one below.

Platform: Office365 (including users protected by Microsoft 365 Defender, formerly known as Advanced Threat Protection or ATP)Įach of these fake RFP emails was slightly different, but they all invited recipients to submit proposals on Adobe Spark via blue hyperlinks.

Techniques: account takeover and abuse of Adobe platform, followed by credential harvesting.

Other INKY modules did smell the phish, however, and were triggered strongly enough to set off both Phishing Content and Phishing Site notifications and assign a red banner.Īs of this writing, INKY has detected 2,181 of these attacks. INKY authenticated the emails' SPF and DKIM records, detected no evidence of spoofing in the received headers, and did not fit them with a First-Time Sender banner notification. INKY was able to determine that the phishing attempts were sent from known-to-the-recipient but compromised accounts. This exploit made use of several known tactics, combined in a new way. In this report, INKY analyzes the Adobe Spark Request for a Proposal phishing scam. Even today, customized documents with malicious links are being hosted on Adobe Spark, and each instance remains active until Adobe receives an abuse report (like the one below) and takes it down.

Unknowingly, Adobe had been facilitating this campaign for months. The goal of the ruse was to harvest recipients’ credentials.

In this case, phishers were staging their forays from Adobe Spark, a cloud-based design application that allows users to create and share content. These supposed RFPs came from recipients’ legitimate contacts, but those accounts had been compromised by bad actors. Beginning in January 2021, several INKY users began receiving emails with fake “requests for proposal” (RFPs).