- Attackers used Mimecast’s URL rewriting feature to hide malicious links in phishing emails
- More than 40,000 emails reach more than 6,000 organizations, including consulting and technology companies.
- The campaign bypassed filters around the world and most of the victims were found in the US, although Mimecast says there were no errors.
Cybercriminals are abusing a legitimate Mimecast feature to send convincing phishing emails to their victims on a massive scale.
This is according to cybersecurity researcher Check Point, which claims to have sent more than 40,000 such emails to more than 6,000 organizations around the world in just two weeks.
First, fraudsters created messages that resembled emails from well-known brands (SharePoint, DocuSign, or other messages with electronic signatures), paying attention to details such as logos, subject lines, and display names. Nothing in the messages distinguishes them from routine e-mails.
Targeted technical and real estate advice.
At the same time, they would create phishing landing pages that would steal login credentials or spread malware. These URLs are hidden behind one or more legitimate tracking and retargeting services, in this case Mimecast.
Because this service rewrites links to route them through a trusted domain, attackers send their malicious links so that the final email shows a Mimecast domain instead of the actual destination.
This allows phishing emails to successfully bypass email security solutions and filters and land directly in victims’ inboxes.
Check Point says many industries have been affected by this campaign, but some (where the exchange of contracts and invoices is common) have been particularly hard hit. These include consulting, technology and real estate. Other notable mentions include healthcare, finance, manufacturing and government.
The majority of casualties occur in the United States (34,000), followed by Europe (4,500) and Canada (750).
Mimecast emphasized that this is not a security flaw, but rather a legitimate feature open to exploitation.
“The attack campaign described by Check Point used legitimate URL redirection services to hide malicious links, rather than a Mimecast vulnerability. Attackers abused trusted infrastructure, including the Mimecast URL rewriting service, to hide the true target of phishing URLs. This is a common tactic where criminals use any domain to avoid detection.”
IN cyber news