Proofpoint Phishing Attack

Proofpoint Phishing Attack Harvests Email Logins

( 3 min read )

In a recent Proofpoint phishing attack, email logins for Microsoft and Google for several hundred employees were stolen. The cybersecurity company was impersonated and phishing emails were sent on its behalf.

The scoop on the Proofpoint Phishing Attack

Cybersecurity researchers spotted a phishing campaign aimed at a global communications business. Thousands of employees within this organization were targeted.

“The email claimed to contain a secure file sent via Proofpoint as a link,” the researchers explained. “Clicking the link took victims to a splash page that spoofed Proofpoint branding and contained login links for different email providers. The attack included dedicated login page spoofs for Microsoft and Google.”

The theme of the email was linked to mortgage payments, a topic which can quickly induce anxiety in the reader. The subject line of the email was “RE: Payoff Request”. As you can see, adding the RE was smart work by the hacker(s) as it subtly suggests that the email thread has been going on previously. It brings a sense of emergency to the phishing bait and prods the victims into taking it.

The email body contained a supposed secure link, which linked to a spoofed splash page containing Proofpoint colors and branding. There were separate spoof flows for Google and Microsoft accounts. The consequent pages matched the actual login process to the T, which increased the probability of the victims following through. But first, the spoofed page asked for the user’s email ID and password.

“When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action,” the researchers further state.

The Proofpoint phishing emails were sent from a compromised email account belonging to a fire department in the south of France. This routing helped the phishers slip through Microsoft’s inherent email security mechanisms. Interestingly enough, the email engines marked these bait emails with a spam risk score of just “1”, the lowest of them all.

As for the spoofed login pages, they were hosted on the greenleafpropertise.co.uk domain. When run through the WhoIs records, the cybersecurity researchers found that domain records for this domain were last updated in April 2021. Currently, the website url takes a visitor to cvgproperties.co.uk, which is a pretty skeletal websitev with poor marketing content strewn over it.

Improving your phishing immunity

Technically speaking, this phishing attack relied on a technique known as brand impersonation, which is basically when an organization’s logo, colours and overall branding are imitated to spread a false sense of security.

However, there was another component to the Proofpoint phishing attack, which had nothing to do with technical malicious payloads and domain spoofing. It had to do with the way human beings interact to digital stimuli. Yes, we are talking about social engineering. Had the victims paid a little more attention to the emails and the consequent pages, they would have caught the scam. Furthermore, this case was an advocate of implementing 2FA, thereby preventing illicit logins.

But not every attack can be detected by the human eye. Some attacks are devilishly designed to trick an aware set of eyes. It is best to rely on a dedicated email security service. These services go beyond the simple security checks of native email security functions of mail service providers. Logix Cloud Email ATP is one such dedicated email security service that can combat all major email threats through inbound email scanning, sandboxing, and domain reputation filtering.


More cybersecurity blogs and resources.

Leave a Reply

Your email address will not be published.