There will always be a document to sign or a file to share. With the pandemic still raging and employees resorting to a work-from-home lifestyle, file shares provide a reasonably safe and effective way to get a document from one person to another. Threat actors have taken notice, as seen by the Cofense Phishing Defense Center with the discovery of fraudulent file-share emails to deceive users. In this campaign, the threat actor has taken steps to appear as a trusted contact.
The email seen in Figure 1 originated from a compromised account. Judging from the domain of the email, the user, “Harvey,” is in the same career field as the recipient. Presumably the threat actor sent this phish email to contacts in the compromised user’s account. Sending malicious emails to contacts through a compromised account allows the threat actor to abuse contacts’ trust while bypassing SPF and/or DKIM checks. These counter address spoofing but not a compromised account, as is the case here. ...read more!
