216.73.216.133

Inside the incident: Uncovering an advanced phishing attack

· Published 11/12/2024 02:51 · Modified 11/12/2024 11:05

Export JSON

Essential information

Published
11/12/2024 02:51
Modified
11/12/2024 11:05
Tags
2024-12-11 account takeover credential-theft email security phishing social engineering
Related entities
4 observables

Description

A sophisticated campaign targeted a U.K.-based insurance company, using a compromised CEO's email account from a major shipping company. The attack involved a malicious PDF link hosted on AWS, leading to a fake Microsoft authentication page. The threat actor employed tactics like deletion rules, trusted sender addresses, and legitimate platforms to evade detection. The 'Russian nesting dolls' method was used, embedding multiple links to obscure the final site. Swift action by the security team limited the attacker's success to creating a deletion rule. The incident was part of a broader campaign targeting multiple companies, highlighting the need for enhanced user awareness and technical measures to combat increasingly sophisticated attempts.

External references