IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Proofpoint impersonator steal Microsoft, Google logins in phishing campaign

Clever hackers dodged Microsoft security by pretending to be a cyber security firm

Hackers impersonating cyber security company Proofpoint have launched a new phishing campaign targeting victims’ Microsoft and Google email credentials.

Researchers at Armorblox discovered emails claiming to contain a secure file sent via Proofpoint as a link. The problem was spotted at an unnamed global communications company with around 1,000 mailboxes at risk from the scam.

“Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google,” said researchers.

The email’s subject line was “RE: Payoff Request” and claimed to contain a mortgage-related file sent via Proofpoint along with an email footer exhorting the importance of confidentiality. Researchers said that adding “RE” to the email title is a tactic we have observed scammers using before — this signifies an ongoing conversation and might make victims click the email faster.

After clicking the pretend “secure” email link in the email, victims would then see a web page with the Proofpoint logo and spoofed login buttons for Google, Outlook, and Office 365.

“Clicking on the Google and Office 365 buttons led to dedicated spoofed login flows for Google and Microsoft, respectively. Both flows asked for the victim’s email address and password,” said researchers.

These pages were hosted the “greenleafproperties[.]co[.]uk” parent domain. The domain’s WhoIs record shows it was last updated in April 2021, according to researchers. They added the URL currently redirects to “cvgproperties[.]co[.]uk”. 

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

“The barebones website with questionable marketing increases the possibility that this is a dummy site,” researchers said.

According to researchers, phishing emails replicate existing workflows within organizations. “When we see emails, we’ve already seen before, our brains tend to employ System 1 thinking and take quick action,” they added.

The email managed to get past Microsoft email security, according to researchers. “This email had a Spam Confidence Level (SCL) score of 1, which means Microsoft determined the email was not spam,” said researchers.

Researchers recommended users subject any email to an eye test that includes inspecting the sender's name and email address, the language within the email, and any logical inconsistencies. They also recommended organizations deploy multi-factor authentication (MFA) on all business and personal accounts.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022