Phishing is one of the most common ways for attackers to attempt to infiltrate an environment. Actors frequently update their email lures to reference topics of high interest to their targets, such as global health crises like COVID-19, or well-known industry events, like international conferences. The activity group, PHOSPHORUS, is employing both kinds of current event themes in sophisticated spear phishing attacks.
PHOSPHORUS is a nation state actor that operates out of the Southern Asia region, and has frequently targeted the defense and government sectors in the US, UK, and Israel, as well as political activists, journalists, and Iranian dissidents. PHOSPHORUS commonly employs spear phishing campaigns that redirect targets to credential harvesting domains.
In recent months, Microsoft has observed PHOSPHORUS conducting a spear phishing campaign against legitimate high-profile, international policy conferences. PHOSPHORUS has used masquerade techniques to pose as global policy conference organizers and send spoofed email invitations. These attacks are designed to trick targets into exposing their email credentials, thus compromising organizations or individuals of interest, especially government, former government, and other policy officials perceived as adversaries to the nation-state behind PHOSPHORUS.
As of October 2020, PHOSPHORUS has targeted the Think 20 (T20) Summit in Riyadh, Saudi Arabia (slated for late October 2020) and the Munich Security Conference in February 2021. These conferences are broadly attended by government officials and policy experts from around the world, in order to collaborate in shaping future policies. PHOSPHORUS appears to be seeking to collect intelligence in the diplomatic space and is particularly focused on the United States and allied policy makers.
Attacks by this group have extended beyond credential theft, to include mapping compromised individual mailboxes and maintain persistent access for ongoing surveillance. Microsoft believes, based on an analysis of the actor’s email sending patterns, that this campaign is still ongoing by the time of this writing.
Microsoft has implemented rules to block and mitigate these attacks for our customers. Sharing details about the campaign will also help customers detect indicators and behaviors associated with PHOSPHORUS, enabling defenders to identify if their organizations have been targeted.
Analysis
Between February and October 2020, PHOSPHORUS engaged in a persistent and highly targeted spear phishing campaign. The group sent several hundred well-written spoofed emails, masquerading as organizers from two separate conferences.
Social engineering approach and techniques
PHOSPHORUS emailed invitations to more than a hundred individuals, including current and former diplomats, politicians, foreign policy advisors, activists, journalists, and political scholars. The attackers displayed a seasoned and very targeted social engineering approach, in which they leveraged the extensive publicly-available information about the conferences. They used this information in their invitations to build rapport—often flattering targets—before requesting personal information. Their persistent efforts succeeded in compromising numerous individuals, including ambassadors and senior policy officials.
During the targeting process, the attackers were extremely persistent, consistently following up with individuals to ensure that they received a file containing links to a credential harvesting website. In some instances, the target wrote back to PHOSPHORUS, stating that they were unable to open the file. The attacker immediately responded, regardless of the time of day, and proceeded to send the target a new file. If the targeted individual became suspicious and asked for additional details, PHOSPHORUS sent a link to a file on OneDrive containing an events calendar tied to the actual event.
COVID-19 themed event modifications
PHOSPHORUS has also demonstrated resilience and flexibility, claiming to shift to virtual sessions to accommodate individuals who initially declined the lures due to health or travel concerns amid the COVID-19 pandemic. When a potential target would note that they would be unable to attend due to travel restrictions, the attackers replied that some of the sessions would be virtual.
Email showing the attacker changing tactics due to COVID-19
Typical attack flow
The attack methodology used by PHOSPHORUS follows a similar process each time.
Flow of a typical attack in this campaign, starting with a spoofed invite and resulting in persistent access to the target's mailbox
First, the attacker, masquerading as the conference organizer, sends an email invite to the target. They encourage the target to participate in the conference, often with flattery.
Sample conference invitation letter using the spoofed identity of a conference organizer
Next, the target responds by stating that they would like to participate. The attacker requests that they send a picture and biography.
Mockup of a response, thanking the attacker and offering to participate in the conference
After the target responds and sends the attacker a picture, the PHOSPHORUS adds the image to a password-protected PDF file. The file contains a custom image, linked to an URL obfuscated via the bit.ly URL shortening service. The attacker then sends the password-protected PDF file to the target.
Response from the attacker, with the password to a PDF file containing malicious links
The target opens the email and sees their picture in the spoofed invitation to the conference, as well as a button inviting them to view an event calendar.
Spoofed event invite with link to a credential harvesting domain
The event calendar button points to an obfuscated URL, redirecting the user to a credential harvesting page hosted on a known PHOSPHORUS domain. The aim is to gather email credentials from the target.
PHOSPHORUS-controlled credential harvesting website that closely resembles OneDrive
If the target discloses their email credentials in the attacker-controlled site, PHOSPHORUS will use the disclosed credentials to log on to the target's mailbox and download all of the target's emails and contacts.
It should be noted that several conference organizers have received reports that attackers either used compromised organizer accounts or spoofed organizer identities. In July, Microsoft alerted Munich Security Conference Organizers that PHOSPHORUS had compromised the account of one of their staff. In response, organizers of Munich Security Conference posted a tweet on October 3, 2020 reminding constituents that emails from the Munich Security Conference are sent from email addresses in securityconference.org.
Tweet from the Munich Security Conference CEO discouraging attendees from opening email messages from masquerade accounts
Microsoft also began marking as spam any inbound email that contained a link to a known PHOSPHORUS credential harvesting website. Microsoft security researchers assess that the spear phishing efforts referenced in the tweet had limited success, due to the notification in the tweet as well as spam filtering and detection efforts by Microsoft.
Michael Platt
Summary
Phishing is one of the most common ways for attackers to attempt to infiltrate an environment. Actors frequently update their email lures to reference topics of high interest to their targets, such as global health crises like COVID-19, or well-known industry events, like international conferences. The activity group, PHOSPHORUS, is employing both kinds of current event themes in sophisticated spear phishing attacks.
PHOSPHORUS is a nation state actor that operates out of the Southern Asia region, and has frequently targeted the defense and government sectors in the US, UK, and Israel, as well as political activists, journalists, and Iranian dissidents. PHOSPHORUS commonly employs spear phishing campaigns that redirect targets to credential harvesting domains.
In recent months, Microsoft has observed PHOSPHORUS conducting a spear phishing campaign against legitimate high-profile, international policy conferences. PHOSPHORUS has used masquerade techniques to pose as global policy conference organizers and send spoofed email invitations. These attacks are designed to trick targets into exposing their email credentials, thus compromising organizations or individuals of interest, especially government, former government, and other policy officials perceived as adversaries to the nation-state behind PHOSPHORUS.
As of October 2020, PHOSPHORUS has targeted the Think 20 (T20) Summit in Riyadh, Saudi Arabia (slated for late October 2020) and the Munich Security Conference in February 2021. These conferences are broadly attended by government officials and policy experts from around the world, in order to collaborate in shaping future policies. PHOSPHORUS appears to be seeking to collect intelligence in the diplomatic space and is particularly focused on the United States and allied policy makers.
Attacks by this group have extended beyond credential theft, to include mapping compromised individual mailboxes and maintain persistent access for ongoing surveillance. Microsoft believes, based on an analysis of the actor’s email sending patterns, that this campaign is still ongoing by the time of this writing.
Microsoft has implemented rules to block and mitigate these attacks for our customers. Sharing details about the campaign will also help customers detect indicators and behaviors associated with PHOSPHORUS, enabling defenders to identify if their organizations have been targeted.
Analysis
Between February and October 2020, PHOSPHORUS engaged in a persistent and highly targeted spear phishing campaign. The group sent several hundred well-written spoofed emails, masquerading as organizers from two separate conferences.
Social engineering approach and techniques
PHOSPHORUS emailed invitations to more than a hundred individuals, including current and former diplomats, politicians, foreign policy advisors, activists, journalists, and political scholars. The attackers displayed a seasoned and very targeted social engineering approach, in which they leveraged the extensive publicly-available information about the conferences. They used this information in their invitations to build rapport—often flattering targets—before requesting personal information. Their persistent efforts succeeded in compromising numerous individuals, including ambassadors and senior policy officials.
During the targeting process, the attackers were extremely persistent, consistently following up with individuals to ensure that they received a file containing links to a credential harvesting website. In some instances, the target wrote back to PHOSPHORUS, stating that they were unable to open the file. The attacker immediately responded, regardless of the time of day, and proceeded to send the target a new file. If the targeted individual became suspicious and asked for additional details, PHOSPHORUS sent a link to a file on OneDrive containing an events calendar tied to the actual event.
COVID-19 themed event modifications
PHOSPHORUS has also demonstrated resilience and flexibility, claiming to shift to virtual sessions to accommodate individuals who initially declined the lures due to health or travel concerns amid the COVID-19 pandemic. When a potential target would note that they would be unable to attend due to travel restrictions, the attackers replied that some of the sessions would be virtual.
Typical attack flow
The attack methodology used by PHOSPHORUS follows a similar process each time.
First, the attacker, masquerading as the conference organizer, sends an email invite to the target. They encourage the target to participate in the conference, often with flattery.
Next, the target responds by stating that they would like to participate. The attacker requests that they send a picture and biography.
After the target responds and sends the attacker a picture, the PHOSPHORUS adds the image to a password-protected PDF file. The file contains a custom image, linked to an URL obfuscated via the bit.ly URL shortening service. The attacker then sends the password-protected PDF file to the target.
The target opens the email and sees their picture in the spoofed invitation to the conference, as well as a button inviting them to view an event calendar.
The event calendar button points to an obfuscated URL, redirecting the user to a credential harvesting page hosted on a known PHOSPHORUS domain. The aim is to gather email credentials from the target.
If the target discloses their email credentials in the attacker-controlled site, PHOSPHORUS will use the disclosed credentials to log on to the target's mailbox and download all of the target's emails and contacts.
It should be noted that several conference organizers have received reports that attackers either used compromised organizer accounts or spoofed organizer identities. In July, Microsoft alerted Munich Security Conference Organizers that PHOSPHORUS had compromised the account of one of their staff. In response, organizers of Munich Security Conference posted a tweet on October 3, 2020 reminding constituents that emails from the Munich Security Conference are sent from email addresses in securityconference.org.
Microsoft also began marking as spam any inbound email that contained a link to a known PHOSPHORUS credential harvesting website. Microsoft security researchers assess that the spear phishing efforts referenced in the tweet had limited success, due to the notification in the tweet as well as spam filtering and detection efforts by Microsoft.
Source: https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/