Active Phishing Campaigns are concerted, coordinated attacks that Fortra has observed bypassing email security gateways, like SEGs, and filtering tools. The following analysis includes examples, high-level details, and associated threat indicators. As of this posting, Fortra has automatically detected and removed 53 instances of this threat across multiple customer email environments.
Sample Email Lure
- Sender’s Email: [email protected]
- Reply-to Address: Hidden (was sent from apiMassMail)
- Sender’ Name: Meta for Business <[email protected]>
- Analysis: The email was sent using apiMassMail, which is a service provided by Salesforce.com. This service can send out 5,000 external emails daily. The full headers of the message did not contain X-SFDC-ORGTYPE: FREE, suggesting this campaign was not sent using a free Salesforce.com account. It is possible this campaign uses compromised accounts or exploits a flaw in Salesforce.com’s email services.
Email Content Analysis
Analysis: The email content imitates an account restriction notification from Meta support. It uses false accusation and fear of account restriction to pressure victims into clicking the “Contact Support” button, which leads to a fake support chat function.
URL Inspection
Redirects: The “Contact Support” button links to hxxps[://]app[.]getresponse[.]com/view[.]html?x=a62b&m=B0HPru&u=CFQf8&z=EVW8hav&o=pp_5. GetResponse is a legitimate email marketing service.
This redirects to hxxps[://]t[.]co/QpGbIQ5rep, which is a URL that has been shortened using X’s (formerly Twitter) link shortening service. This shortened URL redirects to: hxxps[://]metaforpartner[.]com/index[.]php?appeal.
Analysis: The destination URL presents a live chat impersonating Meta Support. This live chat is used to engage victims and compromise their account.
Threat Indicators
- Redirect: hxxps[://]app[.]getresponse[.]com/view[.]html?x=a62b&m=B0HPru&u=CFQf8&z=EVW8hav&o=pp_5, hxxps[://]t[.]co/QpGbIQ5rep
- Malicious Domain: metaforpartner[.]com
- Malicious URL: hxxps[://]metaforpartner[.]com/index[.]php?appeal
Learn how Fortra’s Could Email Protection can help prevent these types of lure phishing campaigns and more!
