Sophisticated new phishing campaign targets the C-suite


A new phishing campaign to steal login credentials is being launched on businesses - specifically the C-suite.

Researchers at GreatHorn first discovered the campaign which targets senior executives by claiming to be from the company's CEO.

The fake email regards the rescheduling of a board meeting. By following the link from this email and users are greeted with a Doodle poll lookalike page to rearrange a suitable time for the board meeting, but which actually steals Office 365 credentials.

According to the researchers, the attack appears to be hitting organisations of different sizes and from various industries. The email always has the same content, subject line and sender address, too.

If viewed on a mobile device, the sender name is changed to 'Note to Self', a feature in Outlook that is activated when you email yourself something. The researchers note this added layer of complexity makes interacting with the phishing email even more likely.

Depending on which email client is used, some emails were found in the client's junk folder, alerting them to the suspicious content, but the attack still remained open if the user chose to trust the message regardless.

If successful, with valid senior executive-level login credentials, attackers could use those to access and steal sensitive data belonging to the company and if gone undetected, the attacker could use that entry point as a way to launch further attacks on the company's infrastructure.

"Spear phishing attacks tend to be more targeted, sophisticated and harder to detect than regular phishing campaigns, said Corin Imain, senior security advisor at DomainTools.

"Just one employee clicking on a malicious link can create an entry point for cybercriminals to gain access to the entirety of an organisation's network.

"It is not surprising that the criminals behind this attack chose to redirect employees to a fake Microsoft 365 landing page: Microsoft remains the most impersonated brand by phishers because of its recognisability and popularity."

This news follows an emerging cyber security trend whereby attackers will selectively target companies with big pockets.

The Ryuk ransomware reported last month provided another example of how attackers are choosing to target the right people instead of just distributing attacks to as many machines as possible.

Attacks are becoming more sophisticated and as Imain says, "it is essential to educate the workforce to the risks of opening emails from an unrecognised sender and about the best practices to spot a fake email from a genuine one."

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.