Researchers at Armorblox uncovered invoice-themed emails sent to at least 20,000 mailboxes that purport to share information about an electronic funds transfer (EFT) payment.  

The Armorblox threat research team observed the "invoice-themed" email attack attempt to hit one of their customer environments. The email was titled 'TRANSFER OF PAYMENT NOTICE FOR INVOICE' and informed the victims about an EFT payment. The email attack employed various techniques to get pas traditional email security filters and pass eye tests of unsuspecting end users:

  • Passes authentication using SendGrid: The email was sent from a personal Gmail account via SendGrid. This resulted in the email successfully passing authentication checks such as SPF, DKIM, and DMARC.
  • Social engineering: The email title and content refer to financial payments, including a link to view an invoice. The average person tends to take quick action on financial matters, even if a closer look might reveal inconsistencies in the email.
  • Brand impersonation: The final phishing page spoofs an Office 365 portal and is replete with Microsoft branding. Requiring Microsoft account credentials to view an invoice document also passes the ‘logic test’ in most victims’ minds, since they get documents, sheets, and presentations from colleagues every day that encompass the same workflow.
  • Hosted on Google Firebase: The final invoice is hosted on Google Firebase; the inherent legitimacy of this domain enables the email to get past security filters built to block known bad links and files. 
  • Link redirects: The attack flow is long and obfuscates the true final phishing page, which is another common technique to fool security technologies that attempt to follow links to their destinations and check for fake login pages.

Kevin Dunne, President at Greenlight, a Flemington, New Jersey-based provider of integrated risk management solutions, says"Phishing and social engineering attacks are becoming more dangerous, as more and more sensitive data moves to the cloud.  Companies can no longer rely on their traditional perimeter to keep bad actors from reaching critical data in their business applications.  In many cases, identity and access control are the only tools available to limit exposure and manage risk from phishing attacks.  Enforcing two-factor authentication (2FA) and password rotation are effective prevention in many cases, however, they are not 100% effective in all cases.  Least privileged access, paired with thorough monitoring of user activity and behavior, are critical to ensuring that damage is limited in the case bad actors gain access your systems."

For detailed findings, please visit https://www.armorblox.com/blog/microsoft-office-phishing-attack-hosted-on-google-firebase/