Phishing attack impersonates IT staff to target VPN users

A phishing email claims to send the recipient to a VPN configuration page for home access but instead leads them to a credential-stealing site, said Abnormal Security.

phishing-via-internet-vector-illustration-fishing-by-email-spoofing-vector-id665837286.jpg

Image: GrafVishenka, Getty Images/iStockPhotos

Cybercriminals have been keen to exploit COVID-19 to create coronavirus-related malicious apps, phony websites, and phishing emails. As the pandemic has triggered a huge shift toward remote working, so, too, have criminals been trying to target business employees working at home. In a blog post published Wednesday, Abnormal Security describes a new phishing campaign that exploits the need for VPNs.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium) 

The initial phishing email arrives with a notification ostensibly from IT support at the recipient's employer. The sender's address is even spoofed to impersonate the domain of the specific organization. The body of the email itself is brief with simply a notice and link for new VPN home configuration access.

vpn-phishing-email-abnormal-security.jpg

Abnormal Security

Clicking on the link directs the user to a landing page that looks identical to a Microsoft 365 login page. The page is even hosted on a Microsoft .NET platform and so uses a valid Microsoft certificate.

Instead, the page is a phishing website looking to capture the victim's Microsoft account credentials. People who mistakenly enter their credentials would expose not just their Microsoft account but any other accounts that use those credentials as a single sign-on.

The attack plays on the need for a VPN while working from home. Unsuspecting employees unaccustomed to working out of the office might take the bait for fear of not being able to properly connect to their organization's network.

Further, the URL used as the anchor text is different from the URL in the link. The anchor text contains the name of the company in plain text. By hiding the actual URL, the attackers want to trick users into believing that this is a real Microsoft Office login page.

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)

Abnormal Security said it spotted several versions of this attack across multiple clients from different sender addresses and from different IP addresses. In all cases, however, the same payload link was used, a tipoff that a single attacker controls the phishing site.

To protect your organization against these types of phishing attacks, Ken Liao, vice president of cybersecurity strategy for Abnormal Security, offers the following tips:

  • Double-check the senders and addresses for messages to ensure they're coming from legitimate sources. Don't just trust the display name. For anything in which you're being led somewhere that you're asked to enter your credentials, look at the actual email address.
  • Always double check the webpage's URL before signing in. Attackers will often hide malicious links in redirects or host them on separate websites that can be reached by safe links. This allows them to bypass link scanning within emails by traditional email security solutions. If the URL looks suspicious, don't enter your credentials and verify with your company's IT department.

Also see