Image: GrafVishenka, Getty Images/iStockPhotos

Phishing campaigns continue to be a popular and pervasive method of cyberattack. By impersonating a well-known company or brand, cybercriminals typically look to capture sensitive information from unsuspecting users. A new phishing attack spotted by cybersecurity firm Armorblox exploits the IRS, the coronavirus, and SharePoint all in one fell swoop.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

In a blog post published Wednesday, Armorblox described this credential phishing campaign as one that hit several of its customers just a few days ago. In this attack, the initial email promised an important update on the recipient’s COVID relief funds to be disbursed to the person’s address.

Clicking the link to view a message about this update would take the user to a SharePoint form that had to be completed to obtain the full document. At that point, the form asked not only for email credentials but for a Social Security number, driver’s license number, and tax ID number. Of course, any such information entered into the form would then be captured by the criminals behind this campaign.

Summary of the IRS COVID relief phishing attack
Image: Armorblox

The initial email snuck past Microsoft 365 email security because it didn’t follow the usual traits of traditional phishing attacks, according to Armorblox.

The email contained the right type of language and content designed to elicit a quick response from a trusting recipient. The email subject of “IRS Covid Relief Fund Update” and the sender’s name of “Irs Covid Relief Funds” were both specific and related to important topics. Using the name of the IRS is designed to invoke an immediate action from the user. The message even includes an alleged confidentiality notice to make it sound legitimate.

Like many phishing emails, however, the message contains a few grammatical errors, such as the IRS not being capitalized in the sender’s name. That should raise a red flag among users who take the time to scrutinize all aspects of the message. But the attackers count on a certain number of people anxious or intrigued enough to click on the link without carefully examining the email.

Next, the landing page is hosted through a real SharePoint account but one that seems to have been compromised. Looking at the actual account name, Armorblox discovered that it belonged to an employee of the Reproductive Medicine Associates of Connecticut (RMACT), which the attackers likely exploited for this campaign.

Because the SharePoint page was legitimate, security filters that normally block bad domains failed to block this one. Using SharePoint to host the page also gave it the usual Microsoft branding and visuals, another tactic to make it seem legitimate. To top it off, a notice at the bottom even advises people not to share their passwords or give away personal information.

To guard against such phishing campaigns, Armorblox offers the following words of wisdom:

Be wary of sharing requests for personally identifiable information (PII) and payment card industry (PCI) out of context. The phishing page for this attack asked for personal information that the IRS would never ask for via email. Even when the email looks real, be wary of entering your Social Security number, tax number, or similar details over email. Perform a second method of authentication by calling or texting the email sender to confirm if the requests are legitimate.

Subject sensitive emails to rigorous eye tests. Whenever possible, engage with emails related to money and data in a rational manner. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email.

2FA is necessary but not sufficient. The criminals compromised an RMACT employee’s SharePoint account for this attack. Adopting two-factor authentication (2FA) would have prevented the compromise, or at least minimized its impact. However, 2FA would not have been enough to stop the phishing email from fulfilling its objective since the context (IRS document about COVID relief funds) doesn’t require 2FA to seem legitimate.

Augment native email security with complementary threat detection. To augment existing email security capabilities (e.g. Exchange Online Protection for Microsoft 365 or the Advanced Protection Program for G Suite), organizations should invest in technologies that take a materially different approach to threat detection. Rather than searching through static lists and blocking known bad domains, the technologies you adopt should be able to learn from custom organizational data and be able to stop socially engineered threats that contain zero-day payloads (or lack payloads altogether).