Phishing disguised as spam

Attackers are trying to steal credentials from corporate mail by sending lists of quarantined spam e-mails.

What do you do when an unsolicited e-mail lands in your work inbox? Unless you’re a spam analyst, you will most certainly probably just delete it. Paradoxically, that’s exactly what some phishers want you to do, and as a result, our mail traps have been seeing more and more e-mails lately that appear to be notifications about obviously unwanted messages.

How it works

Cybercriminals, relying on users’ inexpert knowledge of antispam technologies, send notifications to company employees about e-mails that allegedly arrived at their address and were quarantined. Such messages look something like this:

Fake notification about quarantined e-mails.

Fake notification about quarantined e-mails.

The choice of topic is generally unimportant — the attackers simply copy the style of other advertising for unsolicited goods and services and provide buttons for deleting or keeping each message. It also provides an option to delete all quarantined messages at once or to open mailbox settings. Users even receive visual instructions:

Visual instructions sent by scammers.

Visual instructions sent by scammers.

What’s the catch?

The catch, of course, is that the buttons are not what they seem. Behind every button and hyperlink lies an address that brings the clicker to a fake login page, which looks like the Web interface of the mail service:

Phishing site.

Phishing site.

The message “Session Expired” is meant to persuade the user to sign in. The page serves one purpose, of course: to harvest corporate mail credentials.

Clues

In the e-mail, the first thing that should set alarm bells ringing is the sender’s address. If the notification were real, it would have to have come from your mail server, which has the same domain as your mail address, not, as in this case, from an unknown company.

Before clicking any links or buttons in any message, check where they point by hovering the mouse cursor over them. In this case, the same link is stitched into all active elements, and it points to a website that has no relation to either the domain of the recipient or the Hungarian domain of the sender. That includes the button that supposedly sends an “HTTPs request to delete all messages from quarantine.” The same address should serve as a red flag on the login page.

How to avoid spam and phishing

To avoid getting hooked, corporate users need to be familiar with the basic phishing playbook. For this, look no further than our online security awareness platform.

Of course, it is better to prevent encounters between end users and dangerous e-mails and phishing websites in the first place. For that, use antiphishing solutions both at the mail server level and on users' computers.

Tips