![]() Interestingly, the same PDF image of an invoice is used in this example as in the previous one, thus leading us to believe we this is a campaign coming from the same individual or organization. More than likely, the signature is copy-and-pasted from a legitimate email the spammer may have intercepted or found in an attempt to add credibility to his malicious email. Because of the salutation and the spoofed FROM ADDRESS, we have determined the signature is also fake. The entire email address is used as the name in the salutation. This example is very similar to the previous one, with some minor differences. As for the hyperlink, it is a OneDrive link that lead to an Emotet Trojan downloader. In this email, the payload is the hyperlink of the PDF. This is a social engineering tactic to build "credibility" with the target. The final red flag came in the form of an inserted image of a PDF as a hyperlink, same with the name of the PDF. Please note, REPLY-TOs can be spoofed as well so it's important recognize other red flags such as the payload. Next, although not shown in the example, the REPLY-TO address did not match the FROM ADDRESS, leading us to believe FROM ADDRESS was spoofed. ![]() Any legitimate business will use first or full name of the recipient. ![]() Right away, our specialists noticed several red flags within the email.įirst, the salutation used the local-part of the target's email, which is not the norm. So why are they targeting this particular file-sharing service? Because OneDrive is free and easy to create public links to malicious files. Recently we posted a blog discussing all the methods Emotet uses to dupe end users.Īnd, wouldn't you know it, the malicious actors are getting even more bold - using Microsoft OneDrive links in hopes of catching someone with their guard down to click the malicious files.ĪppRiver security specialists have seen many of these emails in recent weeks, and though it is similar to most Emotet campaigns, this one uses a different template with a PDF image inserted in the body and resources from OneDrive. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |