Today’s phish-of-the-week is nothing special, but there are two lessons to learn. At first glance, it’s a very plain and straightforward phishing email (Figure 1) attempting to steal user credentials by portraying itself as a closing document. Nothing out of the ordinary, yet it came with a lot of other emails and with perfect timing – the end of the month when we’re super busy and our guards are down.
The other interesting lesson in this email is the “from” email address and the real attacker’s email address. Remember, the criminal usually count on the victim falling for his trap, but if you haven’t taken the bait by clicking the link in the body of the email, he still wants to hook you if you respond to the original email. That is where he’ll use magic fields (“reply to” or “return-path”). These are hidden from your Outlook view, but they’ll replace the “from” email address when you reply. (Remember, the “from” field in many of these cases is spoofed.) So, say hello to “firstname.lastname@example.org,” who wants to receive any response to this phish (Figure 2). This is not an uncommon practice amongst cybercriminals.
So, what did we learn today? Timing is everything, and cyber crooks know when we’re in a crunch. Always be vigilant during our high season and busy time. When you are replying to the email, always check who your recipient is. Please don’t assume it’s the sender.