IT Support or Mimecast Phish? What to Look For | Cofense

By Tej Tulachan, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has intercepted a new phishing technique that uses information technology (IT) support-themed emails to get users to enter their old password. It’s common practice within industries to deploy a reset password communication from IT support for essential purposes such as hardening the employee’s email security. In countless situations, the more legitimate the email appears, the more likely the threat actor will succeed with the intrusion. Why? Because individuals would not be compelled to question the people in charge of the company’s confidentiality, integrity and security. They are considered authorities.

This report showcases an email that prompts the user to update their soon-to-be expired password. The first red flag is the newly created domain name that’s only a few months old, as of this writing. In this case, the address “realfruitpowernepal[.]com” is similar to an organization’s internal IT department, yet further analysis of the domain leads to a free web design platform. The opening of the email doesn’t contain phrases such as “Good Morning” or “Dear…”, possibly indicating this is a mass-email attack, which most probably had been accomplished via a purpose-built script.

Figure 1: Email body

When the recipient hovers over the “Continue” button, a Mimecast reference appears, along with the now redacted user email address toward the end of the URL. This might not raise suspicion as the correct spelling and naming function was used, which directs user to the next stage of the attack.

Figure 2: Mimecast security

Upon clicking the link, the user would be taken to a Mimecast web security portal that asks whether they want to block the malicious link or ignore it. This method of security services is very effective.

Figure 3: Security portal

Clicking on either “It’s Safe” or “It’s Harmful” led to the same result, which loads the page seen in Figure 4. This page gives the final confirmation about continuing.

The attack is initiated via a counterfeit Mimecast page that prompts the user to enter their email address to reset their password. After clicking on the “Continue to Page” evident above in Figure 3, the user would be redirected to the phishing landing page that displays the session as expired, as shown in Figure 4.

We assumed the goal was to make the phishing landing page appear identical to the legitimate Mimecast site. However, during our investigation, we discovered that the URL provided does not match the authentic Mimecast URL and the footer detail is missing, as shown in Figure 4.

Phishing URL: hXXps://hiudgntxrg[.]web[.]app/#

Legitimate link: https://login[.]mimecast[.]com/u/login/?gta=apps#/login

Figure 4: Phishing landing page

Figure 5: Legitimate page

Whether the user provided their true login credentials or a random string of credentials, they would be automatically redirected to the page within Figure 5 displaying a successful login message. This is yet another technique used to boost the appearance of authenticity and protection by “Mimecast.”

In conclusion, this attempted intrusion demonstrates the complexity of phishing attacks that utilize the power of social engineering. Cofense is here to help with our analysts and technology to enable customers to quickly identify validated or newly observed threats. We have the necessary products to help your SOC team quickly identify threats to reduce risk and further leverage the IOCs to mitigate a potential incident.

Indicators of Compromise IP




All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.