Zero Day Social Media and One Drive Phish

Summary

In November, we observed an increase in spear phishing attempts clicked by our user base using discreet redirect tactics. However, this report will focus on a rise in social media phishing, specifically aimed at Instagram accounts. Here are some examples and highlights.

instagram-clone-mu-two.vercel[.]app/Login
scots84[.]com
sellbuyeverything[.]site
aaituljabhvani[.]org/ESEHA/index[.]php
login[.]office-link[.]click
webpage-pop-appropriations-guilty[.]trycloudflare[.]com/login.html
centrilv[.]work/[.]i2tc4mea2v/nmvujul/7222[.]cgi
naplswlwa3uhust5fr2s[.]z13[.]web[.]core[.]windows[.]net/MachelpArN047/index.html

Social Media Phishing

On November 15th, a phishing link impersonating Instagram was clicked 16 times in a Texas organization. Although social media access is highly restricted through content filters and firewall products at many sites, these tools do not prevent zero-day phishing links from reaching their intended users.

Here is a Facebook phishing page clicked on November 16th, mimicking Meta’s security verification process.

Not only can examples like these bypass content filters, but they can also be delivered in apps like Facebook and Instagram’s native messenger apps, which are totally outside the scope of email security tools.

Stealth Redirect: Never Gonna Give You Up

A Microsoft spearphish was clicked by an employee on November 18th that exhibited stealth redirect tactics. The link initially leads to a Cloudflare Captcha to ‘verify’ the user. When an analyst opened the link in their Chrome browser, they saw the same phishing page captured by the PIXM browser extension. However, when opening the same link in a server sandbox, they were redirected to a Youtube page.

Examples like this illustrate the tools hackers routinely use to evade detection from security sandboxes embedded in email protection. First, the link requires a human action to resolve. Second, the link will only resolve the phishing attack when clicked on a user device. Simultaneously, a security sandbox is redirected to a Rick Astley music video.

We observed ongoing multi-channel phishing attacks delivered via non-email document-sharing platforms like OneDrive, specifically targeting staff members. This attack had similar patterns to those PIXM researched earlier in October targeting organizations in Texas, Colorado, and Idaho

Suggested Correctionss

  • Add the specified domains to your block lists.
  • Focus awareness efforts on high-risk credentials
  • Raise awareness that lots of phishing occurs outside the corporate mailbox
  • Be aware that hackers can use stealthy tactics to conceal phishing attacks until they are opened in the browser, even with email protection