Hacked SendGrid Accounts used In Phishing Attacks To Steal Logins
A new cyber campaign has come to known as a phishing attack. Outlook Web Access and Office 365 services users are being targeted. The campaign collected the credentials of thousands of customers relying on trusted domains such as SendGrid.
The campaign named “Compact”, the Cyber actors behind these phishing attacks have been operating this campaign since the beginning of 2020 and it is being estimated that the campaign has successfully been able to collect over 400,000 sensitive credentials from multiple companies.
The phishing campaign operators used Zoom invites as a lure along with an extensive list of email addresses and used this information in sending messages from hacked accounts on the SendGrid cloud-based email delivery platform. Since SendGrid is a trusted Simple Mail Transfer Protocol (SMTP) provider, the messages had very less chances of not reaching their destination and being blocked by email protection technology.
Researchers at WMC Global, makers of the PhishFeed real-time phishing intelligence service, highlighted some mistakes of the campaign operators. Those mistakes allowed them to analyze how the data has been moved from the phishing site into the hands of the operator.
Researchers analyzed that each phishing campaign successfully collected 3,700 credential addresses, which would make the total from various Compact campaigns around 400,000 unique credentials.
WMC Global stated that “Earlier operations used compromised SendGrid accounts to deliver the phishing emails and then moved to MailGun, a developer-centric email service with APIs that allows sending, receiving, and tracking messages”.
WMC believes “that the switch to a different service was determined by their collaboration with SendGrid to restore compromised accounts to the legitimate owners. Also, the phishing website of the Compact campaign had distinct fingerprints in the code that permitted monitoring and detecting of a new site as soon as it became life…”
“…We found a landing site impersonating Outlook Web App in December 2020 and another one in January 2021 that pretended to be for Office 365 login”, the company added.
Searching the website source code, the researchers were able to steal locations and credential logs in text files. The attackers behind the Compact campaigns had created the exfiltration code on various compromised legal websites.
While analyzing log data researchers noticed that employees who are working at notable companies had fallen for the Compact phishing campaign. At present, the Compact operators are using an Office 365 theme that continues to be active and is the most prevalent.
WMC Global stated that “the latest email campaigns were noisy enough to attract attention but the tactics, techniques, and procedures observed point to other campaigns that used different phishing themes (Excel, OWA, Outlook Web Access Exchange, 1&1 Ionos, Rackspace)”.