O365 Active Phishing Campaign with Verizon Invoice Lure

Posted on April 1, 2024

Recent O365 Active Phishing Campaign

Active Phishing Campaigns are concerted, coordinated attacks that Fortra has observed bypassing email security gateways, like SEGs, and default filtering tools. The following analysis includes examples, high-level details, and associated threat indicators. As of this posting, Fortra has automatically detected and removed 46 instances of this threat across multiple customer email environments.  
 

Sender Verification

Analysis: The email appears to be from a legitimate source, but there is a notable discrepancy between the sender’s email and the sender’s name. The sender is using the 33mail.com service to hide his actual email address.  
 

Email Content

Content of Emails body.

Analysis: The email content raises suspicion, particularly with the inclusion of an unusual link that appears to redirect to a Prezi presentation. The mention of an invoice, coupled with an urgent call to action, shows the attempt to trick the user into clicking on the provided link.  

Website Verification

  • Sender’s Website: surveymonkeyuser.com  

Analysis: The website may seem legitimate, but does not align with the email’s content and impersonates Verizon.  
 

URL Inspection

Redirect: After opening the URL present in the email body here: hxxps[://]prezi[.]com/i/embed/qT62vE5JTLTiWbcrFntj
It redirects to: hxxps[://]sites[.]google[.]com/view/vrz39289289823/home  

Analysis: The destination URL indicates an O365 phishing attempt hosted on Google Sites. Upon loading the page, we see that it imitates the Verizon infrastructure with an O365 login panel.  

A screenshot of a computer Description automatically generated

 

Threat Indicators

 

Learn how Fortra’s Could Email Protection can help prevent these types of O365 lure phishing campaigns and more!

Fortify Your Security with Fortra
Related Solutions
Active Phishing Campaign