Sharepoint Email Phishing

Summary:

At about 12:33 PM Eastern an E-mail was delivered to multiple mailboxes within the company. These purported to be from an internal employee. The address was legitimate and was not obfuscated to hide a different originating address. There were at least two variations of the email. Both emails contained links to a malicious domain (sued[.]co[.]ke) Link was hidden behind an alternate text that said “DownloadAttachments”. Clicking the link would prompt some users to enter their email address and password. 

The URL and parent domain were immediately added to the company's Umbrella solution to prevent any furtherDNS resolution to the domain when users click on the link.

The IP addresses that the link resolved to were added to the firewalls at all sites to be shunned.

It appears that approximately 35 – 40 users clicked on the link and entered credentials. All users that have contacted IT Support or HelpDesk have had their domain password changed.

Investigation leads to this email having come from an external IP address and not necessarily sent from an internal device. The Originating IP address in the email header is unknown by threat intel resources. The addresses is located in Illinois, coming from a VPN block that belongs to LogicWeb. There are no domains hosted at this IP.

The email body was created in Gmail as indicated by the tags around the source and the alternate text to the Sharepoint logo appears to be in Spanish: img alt="Resultado de imagen para sharepoint logo"

Known malicious sample download

SHA256 - f9e8e6107cb0ff5ad3b891ad99580aac57eaa8f519c8ba9baa9c779d4b6f68f8

File Type: HTML

Magic: HTML document text

SSDeep: 768:DHxjTggziQuAr7SpF9G9h919/ozio/InD:6GiQuAr7SpEozio/ID

File Size: 28.77 KB

Main detection: Trojan.HTML.Phishing

Domain Info

Domain Name:  sued.co.ke

IP Addresses Resolved to:

·       208.91.199.87

·       162.213.252.60 <-- All our traffic was centered around this IP

   

   Screenshot of the email:

 

 

E-Mail Message Sample 1 Header and Source

Received: from BN7xxxxxxx113.xxxxxxx.prod.outlook.com (2603:10b6:4:ae::39) by

DMxxxxxB4105.xxxxxx.prod.outlook.com with HTTPS via

DM5xxxx0.NAMxxx07.PROD.OUTLOOK.COM; Mon, 14 May 2018 16:33:27 +0000

Authentication-Results: domain.com; dkim=none (message not signed)

header.d=none;domain.com; dmarc=none action=none

header.from=<company name>;

.

.

.

From: "Dennis B. Manning" <dennis.manning@bioglobal.co>

To: "Dennis B. Manning" <dennis.manning@bioglobal.co>

Subject: INVOICE

Thread-Topic: INVOICE

X-MS-Exchange-Organization-MessageDirectionality: Originating

X-MS-Exchange-Organization-AuthSource: BN7PRxxxxmprd04.prod.outlook.com

X-MS-Exchange-Organization-AuthAs: Internal

X-MS-Exchange-Organization-AuthMechanism: 04

X-Originating-IP: [173.239.199.110]

X-MS-Exchange-Organization-Network-Message-Id: 61d1100c-e50e-4798-2591-08d5b9b868a9

X-MS-PublicTrafficType: Email

X-Microsoft-Exchange-Diagnostics: 1;BN7PR04MB4307;35:hYQ8ykDJvNTkVuzaeSsSAZpmmFrC1R5Ulntep7gMcSI/UhbDiIALU6UQOhBeYZY2UCllhTuswM3SWrmuDe6GIw==

Return-Path: dennis.manning@bioglobal.co

X-MS-Exchange-Organization-ExpirationStartTime: 14 May 2018 16:33:22.6051

(UTC)

X-MS-Exchange-Organization-ExpirationStartTimeReason: Original Submit

X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000

X-MS-Exchange-Organization-ExpirationIntervalReason: Original Submit

X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;

E-Mail Message Sample 2 Header and Source

Received: from BN7xxxx04.xxxxxxx4.prod.outlook.com (2603:10b6:4:ae::44) by

DxxxxxB4105.namprd04.prod.outlook.com with HTTPS via

DM5xxxx0115.NAxxx07.PROD.OUTLOOK.COM; Mon, 14 May 2018 16:34:11 +0000

Received: from BNxxxxxB4050.xxxxxx.prod.outlook.com (20.176.18.18) by

BN7Pxxxx04.xxxx4.prod.outlook.com (20.xx6.xx.155) with Microsoft SMTP

Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id

15.20.755.16; Mon, 14 May 2018 16:34:09 +0000

Authentication-Results: teijin.co.jp; dkim=none (message not signed)

header.d=none;teijin.co.jp; dmarc=none action=none

header.from=<Company name>;

.

.

.

From: "Dennis B. Manning" <dennis.manning@bioglobal.co>

To: "Dennis B. Manning" <dennis.manning@bioglobal.co>

Subject: INVOICE

Thread-Topic: INVOICE

Date: Mon, 14 May 2018 16:34:04 +0000

X-Originating-IP: [173.239.199.110]

E-Mail Body Source Code (interesting sections)

<a href="http://sued.co.ke/sharepoint/sharepoint/" rel="noopener noreferrer" id="LPlnk981628" class="gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-m_741264181270171108gmail-OWAAutoLink gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-OWAAutoLink gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-OWAAutoLink OWAAutoLink" target="_blank" style="color:rgb(17,85,204)" previewremoved="true"><font size="2" color="#1155CC"><span id="gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-m_741264181270171108gmail-m_2205792334074373374gmail-LPlnk375107" style="font-size:16px; background-color:transparent">DownloadAttachments</span></font></a>

.

.

.

<span id="gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-m_741264181270171108gmail-m_2205792334074373374gmail-ms-rterangepaste-start" style="font-size:16px; background-color:transparent"></span></font><img alt="Resultado de imagen para sharepoint logo" width="152" height="48" src="https://mvpcluster.com/wp-content/uploads/2016/03/0001-SP-2013-Logo.png"><font size="2" color="#1155CC"><span id="gmail-m_-5254795068973409301gmail-m_3735968270271966208gmail-m_1095737800804209384m_-8407371155946476852gmail-m_-8252052683460989792gmail-m_6238816748888944654gmail-m_741264181270171108gmail-m_2205792334074373374gmail-ms-rterangepaste-end" style="font-size:16px; background-color:transparent"></span>

First Query seen in SC

May 14 09:41:14 nnm: 10.x.x.101:53|10.x.x.111:53|17|7024|DNS Client Queries|PVS has observed this host perform a DNS lookup. The most recent DNS query performed was for: |sued.co.ke to the server at 10.x.x.111|

SecurityCenter Events

·       530 Web_Request events tracked by SC. Almost all were GET requests for .css files. The ones below were unique in the list of GET/POST events:

HTTP request detection|The following GET/POST request was observed:|DIP: 162.213.252.60:80 Type: POST;URI: /?wc-ajax=get_refreshed_fragments;Referer: http://sued.co.ke/sharepoint/sharepoint/Office%20365_files/SuiteServiceProxy.htm

Random Variations (showed up 4 or 5 times out of 140 events):

GET;URI: /s/opensans/v15/mem5YaGs126MiZpBA-UN_r8OXOhv.woff;

GET;URI: /sharepoint/sharepoint/Office%20365_files/shellwofficons_f991c945.woff;