Threat actors commonly utilize compromised accounts in concert with a mix and match of different strategies to disguise their attacks. The layers of complexity and customization is often beyond the scope of what you might think of as a “typical” phishing attack, but these are more common than you might think. Threat actors often incorporate several layers of obfuscation and personalization while also sending these attacks from a legitimate and trusted source.

A recent example, though emanating from a compromised user account, had a fraudulent “SharePoint secure message.” However, the encrypted message theme used the Proofpoint encrypted email format and corresponding email lock image. The payload link directed to a file uploaded to and hosted on the Adobe Acrobat cloud site to give an added appearance of authenticity and to mask the disposition of the URL.

If the link is followed, the target will view the uploaded pdf which also shares the SharePoint theme and asks for the user to click a second link with “Click Here to View Document.” The PDF lure also includes customization to give the appearance it was sent by the compromised user themselves.

After clicking the link, they will arrive at a believable Microsoft OWA themed credential harvesting portal. Attackers often use a CNAME record or even register a similar domain as the compromised user’s domain such as saukvalleylaws.]live, especially if they plan to conduct BEC wire transfer attacks. This look-a-like domain was registered on the same day of the attack.