Cybercriminals behind a successful phishing campaign have exposed more than 1,000 corporate employee credentials on the Internet, according to a warning from security vendor Check Point.
The corporate account credentials were stolen as part of a phishing campaign that kicked off in August 2020, targeting thousands of organizations worldwide.
As part of the campaign, the attackers were able to successfully bypass Microsoft Office 365 Advanced Threat Protection (ATP) filtering, which allowed them to harvest more than a thousand credentials from victims.
According to Check Point, the miscreants behind the campaign made a simple mistake that eventually resulted in the stolen credentials being publicly accessible on the Internet, “across dozens of drop-zone servers used by the attackers.”
Because of that, anyone could have used Google search to find the passwords for the compromised, stolen email addresses.
The attack started with phishing emails masquerading as Xerox notifications, attempting to lure victims into clicking on a malicious HTML attachment, which resulted in the browser displaying a blurred image.
JavaScript code running in the background, however, would perform password checks and send data to drop-zone servers controlled by the attackers, after which it would redirect the victim to a legitimate Office 365 login page.
Check Point also notes that the attackers continuously refined the code throughout the campaign, creating a more realistic experience, in an attempt to avoid any kind of suspicion from the victims and to ensure that their attacks can evade detection by antivirus vendors.
The cybercriminals employed both their own infrastructure to host domains used in the phishing attacks, and dozens of compromised WordPress websites that were used as drop-zone servers.
“Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations. The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors,” Check Point explains.
Once sent to the drop-zone servers, the stolen data was saved in files that were publicly accessible, thus indexable by Google, meaning that anyone could have located the stolen email address credentials via the popular search engine.
Check Point says it informed Google on the issue, and “victims now can use Google search capabilities to look for their stolen credentials and change their passwords accordingly.”
The campaign appears to have been mainly targeted at energy and construction companies, though IT, healthcare, real estate, manufacturing, education, transportation, financial services, and retail organizations were also targeted.
Analysis of the Tactics, Techniques, and Procedures (TTPs) employed in this campaign has allowed Check Point to identify a similar set of phishing attacks, carried out in May 2020, but which redirected to another version of an Office 365 phishing page.
Related: FINRA Warns Brokerage Firms of Phishing Campaign
Related: The Evolution of Phishing: Welcome “Vishing”
Related: Phishing Attacks: Best Practices for Not Taking the Bait

More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
