Connect with us

Hi, what are you looking for?


Email Security

Chipotle’s Email Marketing Account Hacked to Spread Malware

Nobelium-style Phishing Tactics Used to Spread Malware

Nobelium-style Phishing Tactics Used to Spread Malware

A new phishing campaign exploiting a compromised mailing service account was discovered in mid-July. In this campaign, an anti-phishing firm found 121 phishing emails in the four-day period from July 13, 2021 to July 16, 2021. The phishing technique is identical to that used by Nobelium (suspected to be behind the SolarWinds hack) in May 2021.

In May, Microsoft reported on a Nobelium campaign that involved malicious emails being sent to roughly 3,000 accounts across over 150 organizations in 24 countries. All the malicious emails were sent via the Constant Contact mailing service using the compromised account of the United States Agency for International Development (USAID).

The new campaign was discovered by the Inky anti-phish firm, and the volume is likely to represent just a subset of the total number of emails. Inky states in its report that it doesn’t yet know whether the new campaign was instigated by the same threat actor, or simply copycat criminals using the same technique as Nobelium – but is investigating.

The technique involves compromising the account of a genuine mail service user. In the latest incident, the account was that of fast-food firm Chipotle and the mail service was Mailgun. This technique generally has a high success rate because the emails appear to be genuine from high reputation sources. The emails pass many automated phish detection systems since they come from a high reputation IP address (Mailgun: and pass SPF and DKIM authentication.

“Analysis of the email headers revealed that the messages originated from Mailgun servers ( and and passed email authentication for chipotle[.]com,” says Inky.

Of the 121 phishing emails detected, two were vishing attacks (fake voicemail notifications with malware attachments), 14 impersonated the USAA Bank, and 105 impersonated Microsoft. Inky does not indicate the malware included with the vishing attempts, nor does it specify the phished target organizations. It does, however, analyze the phishing emails.

The 14 USAA bank impersonations contained a mail.chipotle[.]com link that redirected to a forged and malicious USAA Bank credential harvesting site. The credential harvesting site is a good impersonation of the genuine bank site, including a perfect copy of the USAA logo. “The black hats can make these pages by simply cloning the real page, changing just one or two details to the underlying HTML, and voila! A credential-harvesting page is born,” comment the researchers.

Advertisement. Scroll to continue reading.

USAA Phishing Landing Page

USAA Credential Harvesting Page

The majority of the phishing emails impersonate Microsoft. This is unsurprising since almost everyone has a Microsoft account, and almost all of them contain large amounts of valuable detail (such as other logins, trade secrets, financial details and more).

In the example provided by Inky, the mail is sent by ‘Microsoft 365 Message center <[email protected]>’. The subject says, “You have (7) clustered/undelivered emails 16 July 2021”. This should not fool an observant user who should question why Microsoft is sending emails via a fast-food firm – but could fool automated detections that rely heavily on sender reputations.

The email content is a typical scam lure. The target has seven emails held up by storage issues, but now available for collection (the curiosity trigger). Ignoring the message could disable the account (the fear trigger). This is followed by a button labelled ‘Release messages to inbox’. Clicking this button takes the user to a credential harvesting fake Microsoft login page.

The clue to detecting this type of phishing email lies in the discrepancy between the sender’s name (in these instances, Microsoft, USAA and VM Caller ID), and the actual email sender (in this instance postmaster[@]chipotle[.]com). The former is not likely to use the latter to send out emails. The problem, however, is that secure email gateways often rely on checking solely whether the sending domain is legitimate, and the email is coming from an approved range of IP addresses.

College Park, MD-based phish prevention firm INKY was founded in 2008 by Dave Baggett (CEO) and Simon Smith (COO). In June 2020 it raised $20 million in a Series B funding round led by Insight Partners, bringing the total raised to $31.6 million.

Related: AI-Facilitated Product Aims to Stop Spear-Phishing Attacks

Related: Microsoft: Ongoing, Expanding Campaign Bypassing Phishing Protections

Related: Chipotle Investigating Payment Card Breach

Related: Member of FIN7 Hacking Group Sentenced to US Prison

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...