Title: Outlook Phishing Campaign Targeting Public Administrations

26/03/2024

Phishing Email

The CERT-AgID has been informed of an active campaign targeting Public Administrations, aimed at stealing access credentials to MS Outlook email accounts.

The attackers, disguising themselves as HR departments or company accounting, are sending fraudulent emails promising salary adjustments or access to electronic pay slips, in an attempt to steal login credentials and other sensitive information.

Email subject: Notice of March pay slip adjustment

Attachment: double extension .pdf.html

Typical phishing characteristics

Below are some clues that should raise doubts about the possible fraudulent nature of the message:

️ Urgent action required
️ Suspicious attachments (double extension)
️ Request to enter credentials
️ Generic language
️ Grammatical errors

How the attachment appears

The email in question urges recipients to download the attachment to view the details regarding the “salary adjustment”. This is what the phishing page looks like once the attachment is opened:

Phishing page

Abuse of Form builder

The fraudulent use of online Form builders to orchestrate phishing campaigns is not a new phenomenon. In this case, the free service provided by the website formester.com was exploited.

Sending credentials to the Form builder service

Indicators of Compromise

In order to support measures to counter the fraudulent campaign, the detected IoCs (Indicators of Compromise) are reported below, already shared with the Public Administrations accredited to the IoC Flow of CERT-AgID.

Link: Download IoC

Source: Original Post