Phish Wire - April 3 2025

A record spearphish surge continued into the second half of March, particularly with Microsoft and Outlook credentials targeted via fileshare platforms like SharePoint, OneDrive, and Green Envelope. Additionally, phishing campaigns targeting users of financial services like PayPal, American Express, Chase Bank, and Capital One continued their trend. We saw many additional targeted brands, like Netflix, but a viral Instagram phishing scheme stood out. Below are some examples and highlights.

• sec82[.]com[.]pl/login

• xn--dxtt24e[.]domains/doc818373737292200208373/share8287373792092039/index[.]html

• continue-authentication-0151[.]jotacicli[.]com[.]br

• amsurtoaseixcsec[.]com

• privatemessagie[.]de

• abiautismtherapy[.]spaceexplorationinnovations[.]de/WCerH/

• futurewebs[.]live/services[.]html

• thebengalurucompetition[.]ct[.]ws/en/1

• ywg[.]dwwrtw[.]ru

• msgiss[.]de/invitation/login/Greenenvelope/

• webfree[.]live/services[.]php

• share1nv1te[.]com/POINT/

• chcs[.]xyz/o/chaasee1/login

• gklnl[.]com/chase[.]verify/login

Outlook Phishing via File Shares

In mid-March, a staff member at a California organization clicked on an Outlook phishing email that was shared with them via OneDrive.

As is often the case, links clicked outside the purview of corporate email routinely evade the traditional phishing security ecosystem.

A similar Outlook phishing link was clicked by an employee of a Texas organization, this time via Green Envelope, an online invitation platform.

The period saw a record surge in similar attacks via various message-sharing applications outside of email. A few highlights are below, targeting users in Texas, Florida, and Kentucky.

Viral Social Media Phishing

One notable incident involved a phishing attack on Instagram, which was inadvertently engaged by a staff member at an organization in Kentucky.

The attack follows a reported pattern of “voting scams,” where compromised Instagram accounts send messages to their contacts, asking them to “vote for them in a Google online influencer competition.”

Source: https://www.reddit.com/r/Instagram/comments/14du36k/voting_scam_from_a_friend

This campaign spread virally through Instagram's messenger app, outside the scope of traditional email protection. The hacker utilized legitimate hosting infrastructure to launch the attack.

Financial Services Phishing

The same period extended the trend of phishing attacks on financial services, including Paypal “vishing” and stealthy Chase Bank phishing.

The PayPal phishing links contained tracking parameters in the URL, indicating they had been clicked in Google Ads campaigns.

Actions 

• Block the specified domains on corporate firewalls and endpoint security solutions.

• Educate users about the risks of phishing in file-sharing applications, such as SharePoint and OneDrive, in addition to email. 

• Remind users that personal accounts accessed on corporate devices also carry phishing risks.

• Instruct users to locate the valid support number for their financial institution through a Google search rather than calling numbers found on unverified web pages.

• Enforce multi-factor authentication (MFA) for all corporate logins to minimize the risk of credential compromise.