MailGuard Blog

MailGuard has intercepted an email attack that uses multiple trusted brand names to fool victims into providing their sensitive information for credential harvesting. DocuSign, with hundreds of millions of users worldwide, is a household name with businesses and organizations using the tool for electronic signatures and agreements. Purporting to be from a prominent healthcare provider a DocuSign link is sent to recipients, in an attempt to capture email and login addresses and to potentially download malware. Other trusted names such as Adobe, Microsoft and IBM have been spoofed using accurately depicted branding and logos to catch victims off guard.  

Commonwealth NetBanking Clients are the most recent targets of a phishing scam intercepted by MailGuard. Cybercriminals have targeted the NetBank customers of Australia’s largest financial services institution with almost 16 million prospective victims.  

Purporting to be from the Customer Advocacy department of CBA, the phishing attempt aims to secure important identity credentials including the victims full name, date of birth, zip code and contact phone number along with login information for criminal harvesting, which if successful, can lead to a severe negative financial impact for the unsuspecting victim.  

The scammers journey begins with a simple HTML email from customeradvocate@cba.com.au, falsely alerting the unassuming NetBank user of a security warning stemming from an unauthorised login attempt. Spiking the victim’s fear of being locked out of their banking account, the scammer advises the user that their NetBank is locked, luring them into clicking on the phishing link or “More Details” button in order to restore access. In this case, both the subject matter of the email and content has been purposefully crafted to create an urgency for the victim to enter their credentials.  

The user is then taken to the first phishing page below which is hosted by  LinkTree. Upon closer examination of the web link, a spelling error in “Australia” hints that it may be a scam. 

Imitation is certainly not an appreciated form of flattery for popular file sharing service WeTransfer when it comes to malicious activity. The cloud-based online platform is the latest name being used in a phishing scam aimed at securing credentials from its (some) 70 million users, in 190 countries worldwide. WeTransfer, known for its convenience in allowing users to transfer various files to other users on the internet, has been targeted to deliver malicious files to victims. MailGuard has intercepted this phishing attempt.  

As I write this, the threat of Ransomware is rapidly on the rise. So much so that the Australian Federal Police has formed a task force - Operation Orcus - following in the footsteps of the US Government, in an attempt to combat the specialised criminal infrastructure that is wreaking havoc across large scale organisations here and globally. High profile victims such as Nine Entertainment, JBS and Uniting Care, along with the recent Kaseya interception have been making headlines and may continue to do so without superior intelligence targeting organised crime groups.  

The latest phishing alert sees scammers impersonate the IT department of the targeted organisation in an attempt to steal email credentials and install a malicious file onto the victim’s computer.  Attackers have interestingly used a fake email address from American multi-national and shipping services company FedEx as the trusted name to lure victims into providing their details.  

A notable characteristic of this attack is the scammer's ability to use the name of your company or organisation in order to facilitate the phishing attempt. By purporting to be the victims internal IT services, the email advises the receiver that they have been ‘deactivated’ from a service (actual service not specified) by not having updated their email address. The rectification for this is via downloading the attachment that will apparently assist in updating this information. The wording and instruction in this email, if not looked at closely, attempts to mislead the victim into thinking that their online capability may be deactivated if the instructions are not followed. An easy trap for those who cannot afford to not have access to their company’s internal tech systems (which is usually the whole organisation).  

This recent email attack threatens to steal user login credentials masquerading as trusted Microsoft email web app, Outlook. With over 400 million Outlook users globally, there is a good chance that you and your organisation are at risk of data theft.  

A fraudulent quarantine alert is the bait used for a recent email phishing scam currently being intercepted by MailGuard. Cybercriminals have used Outlook branding to trick unsuspecting recipients into entering their credentials (email username and password) for use in future criminal activity.  

The email arrives as an alert informing the victim of several emails whose delivery has been prevented due to system errors. After which, a link is provided to coerce the victim into reviewing the falsely quarantined emails. Recipients may be tricked into believing that the email is from the ‘Notifications Team’ however it appears to have come from a compromised Office 365 Account.  

In what may appear to be simply a misdirected email, users who click on the ‘Order0076654.xlsx’ attachment are in for a nasty surprise. The attachment is a malicious payload that could result in devastating consequences for the user and their business.

In the latest email phishing campaign landing in inboxes, telecommunications carrier, Telstra, is being impersonated by cybercriminals in an attempt to trick users into handing over sensitive credentials.

Email users take care, MailGuard is intercepting a fraudulent file sharing email scam that uses a Microsoft OneDrive template and links to two different phishing pages, one of which employs Outlook OWA branding, and the other has branding for the recipient company. The campaign is designed to harvest sensitive user credentials that can be used in subsequent attacks and/or sold on the dark web.

MailGuard is currently intercepting a fraudulent USPS (US Postal Service) email scam with the subject line “Missing information and delivery fee, [your name] – Update your informations”.

MailGuard has intercepted a fraudulent email purporting to be from LinkedIn, a popular e-networking tool used by millions of professionals worldwide. This is a phishing email designed to harvest the confidential data of LinkedIn users for malicious intent, such as committing identity theft.

Launching phishing email scams via compromised accounts continues to be a popular technique among cybercriminals looking to deceive users. MailGuard has intercepted a new phishing email scam that originates from a compromised email account belonging to a user at Anglican Care, an aged care facility.

A personalised and targeted email, an opportune offer and the impersonation of multiple brands – some of the techniques employed by cybercriminals in a phishing email scam that resulted in a property buyer losing thousands of dollars as part of a ‘deposit’, supposedly for his new apartment.

MailGuard has intercepted another phishing email that impersonates popular shipping company DHL, masquerading as a delivery alert in order to trick users.

Australia Post continues to be popular among cybercriminals looking to trick users, especially as we approach the End of Financial Year (EOFY).