"The phishing message, impersonating financial services provider JP Morgan, appeared as if part of an existing email thread to increase its sense of legitimacy, and invited the recipient to review and sign a document. Furthermore, the attackers used two DomainKeys Identified Mail (DKIM) signatures to ensure the email would pass DMARC authentication and appear trustworthy."
"By chaining redirects through legitimate services such as Cisco and Nylas, the attackers increase the likelihood that the link will pass security filtering and reputation checks. These domains are widely trusted and commonly observed in legitimate traffic, which makes automated blocking more difficult."
"Within the message, the attackers included a 'review document' link pointing to the legitimate Cisco domain secure-web.cisco.com, which is typically used for rewriting URLs in emails after they have been validated by Cisco. Because the link passed Cisco's Secure Email Gateway validation, the redirect URL was hosted on Cisco's infrastructure, further allowing the phishing email to bypass detection systems."
A Swedish cybersecurity firm's executive was targeted in a sophisticated phishing attack using the Kratos phishing-as-a-service kit. The attack employed a seven-step chain leveraging legitimate infrastructure and services to evade detection. The phishing email impersonated JP Morgan, appeared as part of an existing thread, and used two DKIM signatures to pass DMARC authentication. Attackers embedded a link pointing to Cisco's legitimate secure-web.cisco.com domain, which passed Cisco's Secure Email Gateway validation. The attack chain then redirected through Nylas email API platform, a legitimate Indian development company subdomain, and finally to a domain registered by a Chinese entity in 2017. By chaining redirects through trusted domains, attackers increased the likelihood of bypassing security filtering and reputation checks.
#phishing-attack #kratos-phishing-as-a-service #email-security #credential-harvesting #security-evasion-techniques
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]