BEWARE! Microsoft warns of "SEABORGIUM" phishing attack
Microsoft has issued a warning for Microsoft clients regarding a phishing attack that is doing the rounds. The warning was issued by Microsoft's Threat Intelligence Center (MSTIC). The phishing attack, called SEABORGIUM, targets Microsoft's clients posing as security experts from Microsoft via email. Although this phishing scheme, which originated in Russia has been present since 2017, it has recently popped up again, targeting a number of people before it was red-flagged by Microsoft's Threat Intelligence Center.
How does it work?
In this phishing scheme, the threat actor targets the same organization slowly over a long period of time. According to Microsoft, once it is successful, it slowly infiltrates targeted organizations' social networks through constant impersonation, rapport building, and phishing to deepen their intrusion. It builds rapport and develops trust with the target organization.
The threat actors use numerous emails impersonating real employees of Microsoft. The company says that the SEABORGIUM actor delivers malicious URLs directly in an email or via attachments as you can see below, often imitating hosting services like Microsoft's own OneDrive.
A phishing kit known as EvilGinx is used to steal the victim's personal and financial information. A phishing portal is designed which looks exactly like the Microsoft's to fool victims into entering their login credentials.
Microsoft has explained that, “In limited cases, SEABORGIUM has been observed setting up forwarding rules from victim inboxes to actor-controlled dead drop accounts where the actor has long-term access to collected data. On more than one occasion, we have observed that the actors were able to access mailing-list data of sensitive groups, such as those frequented by former intelligence officials, and maintain a collection of information from the mailing-list for follow-on targeting and exfiltration.”
“There have been several cases where SEABORGIUM has been observed using their impersonation accounts to facilitate dialog with specific people of interest and, as a result, were included in conversations, sometimes unwittingly, involving multiple parties. The nature of the conversations identified during investigations by Microsoft demonstrates potentially sensitive information being shared that could provide intelligence value,” the company added further.
So, until Microsoft publishes another security patch, it is best advised to not open unrecognized attachments from unknown sources.